Solved: Re: Websense and FWSM 3.1(1): Problems with very long urls

Volker Janusch · ‎08-17-2006

Hi,

at first the performance decreases followed by an white (empty) screen.

"longurl-truncate" and "cgi-truncate" are configured.

The url-server is configured as follows:

"vendor websense host x.x.x.x timeout 10 protocol TCP version 4 connections 8".

The requests for this url are tagged as "permit" on the Websense-Server.

Our workaround is to exclude the destination-address from filtering.

Is it possible, that this issue is caused in bug CSCse66244?

Regards.

Volker

Manager DC-Networking, Automation & WLAN
Logicalis GmbH

Patrick Laidlaw · ‎09-18-2006

Yes that bug is the exact cause. You can open a tac case and get "3.1(3.6)" version on special download. This version fixed a fair portion of our performance issues. Although there are a ton of websense patchs a couple specific to websense performance that have come out in the last month.

Patrick

View solution in original post

bwalchez · ‎08-23-2006

Try:

Disable URL filtering to restore regular web access performance.

Volker Janusch · ‎08-23-2006

Our workaround takes this for the affected address.

Manager DC-Networking, Automation & WLAN
Logicalis GmbH

jwjohansen · ‎08-29-2006

From Websense's site on PIX/ASA configs

Memory Allocation / Long URL Truncation:

Certain URLs (for example, webmail addresses) which use Active X controls and feature unusually long URL strings are not processed correctly by the PIX. They are truncated and do not in fact appear in the PIX logs at all. Typical symptoms include a "Page Cannot Be Displayed" message or the request appears to time out. The PIX's internal buffer cannot handle the size and length of the URL string.

This issue is resolved by using TCP instead of UDP, and adding two additional lines to the configuration. These commands increase the size of the internal buffer that handles the GET requests when Websense is enabled.

url-block url-mempool memory_pool_size

url-block url-size long_url_size

Replace memory_pool_size with a value from 2 to 10240 (in KB) for URL buffer memory allocation.

Replace long_url_size with a value from 2 to 6 for a maximum URL size of 2 KB to 6 KB.

Examples:

url-block url-mempool 1500

url-block url-size 4

Websense Filtering Service supports URLs of up to 6 K bytes.

PIX Firewall version 6.1 and earlier versions do not support filtering for URLs longer than 1159 bytes.

PIX Firewall version 6.2 supports a maximum URL length of 1159 bytes for the N2H2 filtering server.

PIX Firewall version 6.2 supports filtering for URLs up to 6 K bytes for the Websense Filtering Service.

PIX Firewall version 6.2 introduces the longurl-truncate and cgi-truncate commands to allow handling of URL requests longer than the maximum permitted size.

(PIX versions earlier than v6.1 do not support the longurl-truncate command.) The format for these options are shown next:

filter url [http | 80] 0 0 0 0 allow [longurl-truncate | longurl-deny | cgi-truncate]

The longurl-truncate command causes PIX Firewall to send only the host name or IP address portion of the URL for evaluation to Filtering Service when the URL is longer than the maximum length permitted.

Use the longurl-deny option to deny outbound URL traffic if the URL is longer than the maximum permitted.

Use the cgi-truncate option to send a CGI script as the URL. **** This option will prevent keyword blocking from working correctly when the user searches for blocked keywords in image search. Websense uses cgi to block keywords not in the url.*****

Also available:

block block_buffer_limit

Creates an HTTP response buffer to store web server responses while waiting for a filtering decision from the filtering server. The permitted values are from 0 to 128, with specifies the number of 1550-byte blocks.

[no] url-block block block_buffer_limit

Removes the url-block setting.

clear url-block block stat

Clears the url-block statistics.

show url-block block stat

Displays the url-block statistics.

Keywords: PIX Cisco firewall configuration config integration setup command commands except exception filter url truncate truncated long mem memory install integration cisco setup configure configuration installation integrate

Volker Janusch · ‎09-18-2006

@jwjohansen:

Thanks for your information. But did some tests in team with websense-tac include the modifikation of

url-block url-mempool 1500

url-block url-size 4

The issue was not resolved in our fwsm.

Regards.

Volker

Manager DC-Networking, Automation & WLAN
Logicalis GmbH

Patrick Laidlaw · ‎09-18-2006

Yes that bug is the exact cause. You can open a tac case and get "3.1(3.6)" version on special download. This version fixed a fair portion of our performance issues. Although there are a ton of websense patchs a couple specific to websense performance that have come out in the last month.

Patrick

Volker Janusch · ‎09-18-2006

Hi Patrik,

Thank you for this information. I will open a tac-case now and post an information after upgrade.

Kind Regards.

Volker

Manager DC-Networking, Automation & WLAN
Logicalis GmbH

Volker Janusch · ‎10-12-2006

Hi Patrick,

Last night we updated to release 3.1(3)6 and I tested with the customer without exclude the destination-address:

It works fine.

Kind Regards.

Volker

Manager DC-Networking, Automation & WLAN
Logicalis GmbH

Volker Janusch · ‎10-25-2006

Hi Patrik,

we have the same problem again. Yesterday the performance decelerated and today it does not work. I configured the workaround again: exclude the destination-address.

Should we open an TAC-Case?

Kind Regards.

Volker

Manager DC-Networking, Automation & WLAN
Logicalis GmbH