topic Re: Microsoft Updates File Resume Block in Network Security

Microsoft Updates File Resume Block

Cole Riese — Tue, 14 Nov 2023 14:08:05 GMT

Greetings,

We recently upgraded our FMC and a few of our FTDs to version 7.0.5. Since then, those FTDs have been blocking Microsoft Updates with the reason "File Resume Block" even though they're trusted. Has anyone else experienced this? We have a few FTDs still on 6.6.x and they aren't blocking the updates. I tried adding an ACL rule to allow the URLs and the application type of "Microsoft" and "Microsoft Update" but that didn't work.

Re: Microsoft Updates File Resume Block

Tritontek — Tue, 14 Nov 2023 18:43:04 GMT

Can you show the ACP rules created if possible? Can you run show asp drop from the ftd cli? Also can you check if TLS in advanced tab under ACP is enabled? (This is done under Access Control Policy > Advanced > TLS Server Identity Discovery > Early Application Detection)

Re: Microsoft Updates File Resume Block

Cole Riese — Tue, 14 Nov 2023 18:59:14 GMT

Here is the ACP rule:

Here is the output of show asp drop:

Frame drop:
Flow is being freed (flow-being-freed) 63186
Invalid TCP Length (invalid-tcp-hdr-length) 45
No route to host (no-route) 573
Flow is denied by configured rule (acl-drop) 3481486
Invalid SPI (np-sp-invalid-spi) 4
First TCP packet not SYN (tcp-not-syn) 348913
Bad TCP flags (bad-tcp-flags) 9
TCP failed 3 way handshake (tcp-3whs-failed) 149439
TCP RST/FIN out of order (tcp-rstfin-ooo) 1391071
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 4529
TCP ACK in SYNACK invalid (tcp-ack-syn-diff) 9
TCP SYNACK on established conn (tcp-synack-ooo) 290
TCP packet SEQ past window (tcp-seq-past-win) 8050
TCP invalid ACK (tcp-invalid-ack) 3043
TCP RST/SYN in window (tcp-rst-syn-in-win) 884
TCP packet failed PAWS test (tcp-paws-fail) 20
Slowpath security checks failed (sp-security-failed) 14667
ICMP Inspect bad icmp code (inspect-icmp-bad-code) 1
ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched) 11
DNS Inspect invalid domain label (inspect-dns-invalid-domain-label) 1411
DNS Inspect id not matched (inspect-dns-id-not-matched) 542
Snort requested to drop the frame (snort-drop) 149350
Snort instance is busy (snort-busy) 4581
FP L2 rule drop (l2_acl) 6229
Dropped pending packets in a closed socket (np-socket-closed) 894104
Async lock queue limit exceeded (async-lock-queue-limit) 72
NAT failed (nat-xlate-failed) 294
TCP Proxy retransmited packet drop (tcp-proxy-retransmit-drop) 171004
TCP Proxy FP2LW enqueue limit reached (tcp-proxy-fp2lw-enqueue-limit-drop) 7
TCP Proxy invalid TCP checksum drop (tcp-proxy-invalid-tcp-checksum-drop) 22
Packet is unknown or traced (a-module) 1
Blocked or blacklisted by the firewall preprocessor (firewall) 2534080
Blocked or blacklisted by the stream preprocessor (stream) 878
Blocked or blacklisted by the reputation preprocessor (reputation) 69
Blocked or blacklisted by the file process preprocessor (file-process) 35202
Packet is blacklisted by snort (snort-blacklist) 27911652
Packet is blocked as requested by snort (snort-block) 15519861
Packet is dropped silently as requested by snort (snort-silent-drop) 822035
Dispatch queue tail drops (dispatch-queue-limit) 177745

Last clearing: 19:19:37 UTC Aug 17 2023 by enable_15

Flow drop:
Inspection failure (inspect-fail) 13418

Last clearing: 19:19:37 UTC Aug 17 2023 by enable_15

Yes, TLS is enabled.

Re: Microsoft Updates File Resume Block

Herald Sison — Wed, 15 Nov 2023 08:57:50 GMT

check this out. ---> https://bst.cisco.com/bugsearch/bug/CSCwf35573

try disabling TLS and rerun the updates. If still having issues try to check the block rules you created above that rule # 12 maybe there is a conflicting block rule that may affect your allow rule.