https://community.cisco.com/t5/application-networking/ace-webdav-traffic-dropped-by-inspection/m-p/836476#M16320 <HTML><HEAD></HEAD><BODY><P>Roble,</P><P></P><P>after some digging in the code and a discussion with the person in charge of this feature, it appears that webdav is not supported by http inspect. the http method propfind is rejected by http inspect.</P><P>This is not considered a bug.</P><P>But I believe we might add it with a feature request.</P><P></P><P>Gilles.</P></BODY></HTML> Tue, 15 Jan 2008 11:09:38 GMT Gilles Dufour 2008-01-15T11:09:38Z https://community.cisco.com/t5/application-networking/ace-webdav-traffic-dropped-by-inspection/m-p/836471#M16315 <P>I terminate http and https on the ACE. Within the L4 multi-match policy exists a class for inspection purpose.</P><P></P><P>The class itself filters on</P><P></P><P>port misuse p2p</P><P>port misuse im</P><P>port misuse tunnel</P><P></P><P>The action for a valid match is reset.</P><P></P><P>Somehow WebDAV traffic gets matched by any of the above criteria.</P><P></P><P>The only chance i have to enable WebDAV is to disable/remove the inspection from the multi-match policy.</P><P></P><P>Is this a "works as designed", "possible bug" or "bad configuration" issue?</P><P></P><P>Thanks for reading.</P><P></P><P>Roble</P> Mon, 14 Jan 2008 14:11:24 GMT https://community.cisco.com/t5/application-networking/ace-webdav-traffic-dropped-by-inspection/m-p/836471#M16315 Roble Mumin 2008-01-14T14:11:24Z https://community.cisco.com/t5/application-networking/ace-webdav-traffic-dropped-by-inspection/m-p/836472#M16316 <HTML><HEAD></HEAD><BODY><P>we can't really say it was designed like this.</P><P>Now, it could be that webdav behavior is similar to any of the protocol in the list.</P><P>Do you know if the problem is for any of the protocols listed or one in particular ?? Did you try just one of them in your match statement ?</P><P>Also, do you have a trace when this occurs so we can look at the webdav request ?</P><P></P><P>Thanks,</P><P></P><P>Gilles.</P></BODY></HTML> Mon, 14 Jan 2008 15:49:20 GMT https://community.cisco.com/t5/application-networking/ace-webdav-traffic-dropped-by-inspection/m-p/836472#M16316 Gilles Dufour 2008-01-14T15:49:20Z https://community.cisco.com/t5/application-networking/ace-webdav-traffic-dropped-by-inspection/m-p/836473#M16317 <HTML><HEAD></HEAD><BODY><P>Hey Gilles...</P><P></P><P>The funny thing is any of the single statements causes match.</P><P></P><P>When the class map is filled with only one "qualifier" e.g. port-misuse p2p the inspection engine drops the packet. I tried it with every single statement. Even when the class map is empty it will drop the WebDAV packets.</P><P></P><P>I was thinking about a possible whitelist the WebDAV traffic and use the port-misuse statements as blacklist approach.</P><P></P><P>Currently i am not yet sure how to identify WebDAV Traffic within a class map.</P><P></P><P>I sniffed the connection and the only thing i see is a "regular" RST packet after the WebDAV Method "PROPFIND".</P><P></P><P>That is all i could find out so far. In my opinion this could be another bug. Because i see no reason to mark WebDAV traffic as malicious content.</P><P></P><P>But i would also face a "what the heck have you configured there" statement as long as it helps. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>Roble</P></BODY></HTML> Mon, 14 Jan 2008 16:12:17 GMT https://community.cisco.com/t5/application-networking/ace-webdav-traffic-dropped-by-inspection/m-p/836473#M16317 Roble Mumin 2008-01-14T16:12:17Z https://community.cisco.com/t5/application-networking/ace-webdav-traffic-dropped-by-inspection/m-p/836474#M16318 <HTML><HEAD></HEAD><BODY><P>ok.</P><P>I can see the same behavior in my lab.</P><P>I will investigate.</P><P></P><P>Gilles.</P></BODY></HTML> Mon, 14 Jan 2008 16:57:22 GMT https://community.cisco.com/t5/application-networking/ace-webdav-traffic-dropped-by-inspection/m-p/836474#M16318 Gilles Dufour 2008-01-14T16:57:22Z https://community.cisco.com/t5/application-networking/ace-webdav-traffic-dropped-by-inspection/m-p/836475#M16319 <HTML><HEAD></HEAD><BODY><P>Great to hear you could reproduce that behavior. So i probably end up with TAC-Call and a DevImage fixing this.</P><P></P><P>Roble</P></BODY></HTML> Tue, 15 Jan 2008 09:15:20 GMT https://community.cisco.com/t5/application-networking/ace-webdav-traffic-dropped-by-inspection/m-p/836475#M16319 Roble Mumin 2008-01-15T09:15:20Z https://community.cisco.com/t5/application-networking/ace-webdav-traffic-dropped-by-inspection/m-p/836476#M16320 <HTML><HEAD></HEAD><BODY><P>Roble,</P><P></P><P>after some digging in the code and a discussion with the person in charge of this feature, it appears that webdav is not supported by http inspect. the http method propfind is rejected by http inspect.</P><P>This is not considered a bug.</P><P>But I believe we might add it with a feature request.</P><P></P><P>Gilles.</P></BODY></HTML> Tue, 15 Jan 2008 11:09:38 GMT https://community.cisco.com/t5/application-networking/ace-webdav-traffic-dropped-by-inspection/m-p/836476#M16320 Gilles Dufour 2008-01-15T11:09:38Z https://community.cisco.com/t5/application-networking/ace-webdav-traffic-dropped-by-inspection/m-p/836477#M16321 <HTML><HEAD></HEAD><BODY><P>The way to go from here is TAC-Call with a feature request? Or is there another approach i should take?</P><P></P><P>Anyhow thanks for clearing up the issue.</P><P></P><P>Roble</P></BODY></HTML> Tue, 15 Jan 2008 12:02:39 GMT https://community.cisco.com/t5/application-networking/ace-webdav-traffic-dropped-by-inspection/m-p/836477#M16321 Roble Mumin 2008-01-15T12:02:39Z