08-17-2006 12:25 AM - edited 03-09-2019 03:55 PM
Hi,
at first the performance decreases followed by an white (empty) screen.
"longurl-truncate" and "cgi-truncate" are configured.
The url-server is configured as follows:
"vendor websense host x.x.x.x timeout 10 protocol TCP version 4 connections 8".
The requests for this url are tagged as "permit" on the Websense-Server.
Our workaround is to exclude the destination-address from filtering.
Is it possible, that this issue is caused in bug CSCse66244?
Regards.
Volker
Solved! Go to Solution.
09-18-2006 12:20 AM
Yes that bug is the exact cause. You can open a tac case and get "3.1(3.6)" version on special download. This version fixed a fair portion of our performance issues. Although there are a ton of websense patchs a couple specific to websense performance that have come out in the last month.
Patrick
08-23-2006 05:31 AM
Try:
Disable URL filtering to restore regular web access performance.
08-23-2006 09:29 AM
Our workaround takes this for the affected address.
08-29-2006 12:30 PM
From Websense's site on PIX/ASA configs
Memory Allocation / Long URL Truncation:
Certain URLs (for example, webmail addresses) which use Active X controls and feature unusually long URL strings are not processed correctly by the PIX. They are truncated and do not in fact appear in the PIX logs at all. Typical symptoms include a "Page Cannot Be Displayed" message or the request appears to time out. The PIX's internal buffer cannot handle the size and length of the URL string.
This issue is resolved by using TCP instead of UDP, and adding two additional lines to the configuration. These commands increase the size of the internal buffer that handles the GET requests when Websense is enabled.
url-block url-mempool memory_pool_size
url-block url-size long_url_size
Replace memory_pool_size with a value from 2 to 10240 (in KB) for URL buffer memory allocation.
Replace long_url_size with a value from 2 to 6 for a maximum URL size of 2 KB to 6 KB.
Examples:
url-block url-mempool 1500
url-block url-size 4
Websense Filtering Service supports URLs of up to 6 K bytes.
PIX Firewall version 6.1 and earlier versions do not support filtering for URLs longer than 1159 bytes.
PIX Firewall version 6.2 supports a maximum URL length of 1159 bytes for the N2H2 filtering server.
PIX Firewall version 6.2 supports filtering for URLs up to 6 K bytes for the Websense Filtering Service.
PIX Firewall version 6.2 introduces the longurl-truncate and cgi-truncate commands to allow handling of URL requests longer than the maximum permitted size.
(PIX versions earlier than v6.1 do not support the longurl-truncate command.) The format for these options are shown next:
filter url [http | 80] 0 0 0 0 allow [longurl-truncate | longurl-deny | cgi-truncate]
The longurl-truncate command causes PIX Firewall to send only the host name or IP address portion of the URL for evaluation to Filtering Service when the URL is longer than the maximum length permitted.
Use the longurl-deny option to deny outbound URL traffic if the URL is longer than the maximum permitted.
Use the cgi-truncate option to send a CGI script as the URL. **** This option will prevent keyword blocking from working correctly when the user searches for blocked keywords in image search. Websense uses cgi to block keywords not in the url.*****
Also available:
block block_buffer_limit
Creates an HTTP response buffer to store web server responses while waiting for a filtering decision from the filtering server. The permitted values are from 0 to 128, with specifies the number of 1550-byte blocks.
[no] url-block block block_buffer_limit
Removes the url-block setting.
clear url-block block stat
Clears the url-block statistics.
show url-block block stat
Displays the url-block statistics.
Keywords: PIX Cisco firewall configuration config integration setup command commands except exception filter url truncate truncated long mem memory install integration cisco setup configure configuration installation integrate
09-18-2006 06:22 AM
@jwjohansen:
Thanks for your information. But did some tests in team with websense-tac include the modifikation of
url-block url-mempool 1500
url-block url-size 4
The issue was not resolved in our fwsm.
Regards.
Volker
09-18-2006 12:20 AM
Yes that bug is the exact cause. You can open a tac case and get "3.1(3.6)" version on special download. This version fixed a fair portion of our performance issues. Although there are a ton of websense patchs a couple specific to websense performance that have come out in the last month.
Patrick
09-18-2006 06:24 AM
Hi Patrik,
Thank you for this information. I will open a tac-case now and post an information after upgrade.
Kind Regards.
Volker
10-12-2006 11:20 PM
Hi Patrick,
Last night we updated to release 3.1(3)6 and I tested with the customer without exclude the destination-address:
It works fine.
Kind Regards.
Volker
10-25-2006 06:28 AM
Hi Patrik,
we have the same problem again. Yesterday the performance decelerated and today it does not work. I configured the workaround again: exclude the destination-address.
Should we open an TAC-Case?
Kind Regards.
Volker
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide