topic Hi,I think the easiest way in Network Security

ASA 5545 interfering with HTTPS Traffic

brownmattc — Tue, 12 Mar 2019 06:05:45 GMT

Hello,

I am having a strange issue with HTTPS traffic that I think has to do with our ASA. The basics is that HTTPS sessions around the web are extremely slow and sometimes time out. This happens when browsing the web through Chrome or Internet Explorer but this issue is also affecting our remote VPN phones that create a SSL tunnel into our DMZ. The phones will work for two - three minutes then the SSL connection is reset. So I have two different interfaces (Internal and DMZ) and I am seeing the same issue with services behind both of them which is what leads me to believe that the ASA is doing something to HTTPS traffic. What is seems to me is that the ASA is somehow inspecting or slowing down HTTPS traffic though I cannot for the life of me find any inspection policies that would apply.

This ASA has a CX module but I have not configured it to do anything. When I login to the CX module it shows that no information, data, policies or otherwise. So I don't think it is the CX module.

Any thoughts on how I can figure out what is going on? Does anyone know if there are default inspection polices on HTTPS when not using the CX module? Could there be some other service running on the ASA that could be causing this?

Thanks,

Matt

Hi,I think the easiest way

Vibhor Amrodia — Thu, 11 Jun 2015 16:31:00 GMT

Hi,

I think the easiest way for checking this would be to go ahead and disable the redirection the traffic to the CX module and verify the issue is re-occurring or not ?

"show run policy-map" would show you if the policy is there which is redirecting the traffic to the CX and "show service-policy" would show you if this policy is applied or not ?

Thanks and Regards,

Vibhor Amrodia

Thank you for your reply -

brownmattc — Thu, 11 Jun 2015 17:39:49 GMT

Thank you for your reply - sorry that my question wasn't clear but I do not think that we currently have the CX module in use which is the hard part of the issue.

Sh Run Policy-Map:

policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
inspect icmp
inspect icmp error
class class-default
user-statistics accounting

sh service-policy

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 9328277, lock fail 0, drop 386, reset-drop 0, v6-fail-close 0
Inspect: ftp, packet 399645, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: h323 h225 _default_h323_map, packet 2158, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: h323 ras _default_h323_map, packet 79, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: ip-options _default_ip_options_map, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: netbios, packet 4028, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: rsh, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: rtsp, packet 49597, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: skinny , packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: sqlnet, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: sunrpc, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: tftp, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: sip , packet 136, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: xdmcp, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: http, packet 786473478, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: icmp, packet 4111478, lock fail 0, drop 17, reset-drop 0, v6-fail-close 0
Inspect: icmp error, packet 15112, lock fail 0, drop 54, reset-drop 0, v6-fail-close 0
Class-map: class-default

Default Queueing Packet recieved 40877, sent 101196, attack 10639