Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
760
Views
0
Helpful
1
Replies

Ironport S360 with CDA session timeouts???

Admin Eastland
Level 1
Level 1

‎10-30-2013 02:59 AM

Earlier this year we started using CDA for authentication mappings to our Ironport. Apparently the surrogate type we were using was not supported, and CDA was the solution for this.

Every so often I have noticed that if I search for a webpage (say a Cisco support topic) and I navigate to that 443 page it does not load. If I go back and click on some port 80 type page and immediately go back to the 443 page it will load.

It seems as if there is some sort of issue with the authentications/re-authentications for CDA getting passed to the WSA.

Any ideas of how to correct this behavior. Being that this is so random I'm not sure how to isolate it.               

Labels:
0 Helpful
1 Reply 1

Vance Kwan
Cisco Employee
Cisco Employee

‎11-05-2013 10:41 PM

Based on your description, if the CDA for some reason was querying slow for a user-to-IP mapping, theoretically this makes sense.  But I cannot see why it would matter if it is port 80 or port 443 traffic.  When authentication is needed, there would not be any decryption involved as the WSA would simply query the CDA again to find out who is on a specific IP address.

How often does this occur?  Issues like this can get very difficult to track down, and will likely need a packet capture while the issue is occuring to determine where the slow down is.

-Vance

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents