http inspect in ASA 5510 messes up svn authentication

vladimirtch — Tue, 12 Mar 2019 01:43:12 GMT

I have a strange problem in my ASA 5510 firewall. I turned on http inspect policy to block certain URLs, but that destroyed svn communication. Interestingly, if I use simple web-browser to access svn server - it works, but any svn-client requests fail with an error "Could not read status line: An existing connection was forcibly closed by the remote host". I did some packet sniffing, and discovered that with http inspect off the WebDAV request is answered, but with http inspect on it is rejected with an error unauthorized. Here are examples of success and failed conversation packets:

Success:

1. <Client-IP> <Server-IP> WEBDAV WEBDAV:Request, PROPFIND /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}

2. <Client-IP> <Server-IP> WEBDAV WEBDAV:HTTP Payload, URL: /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}

3. <Server-IP> <Client-IP> TCP TCP:Flags=...A...., SrcPort=HTTP(80), DstPort=58882, PayloadLen=0, Seq=4139355337, Ack=3464798063, Win=258 (scale factor 0x8) = 66048 {TCP:2, IPv4:1}

4. <Server-IP> <Client-IP> WEBDAV WEBDAV:Response, HTTP/1.1, Status: UNHANDLED HTTP Status Code, URL: /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}

Failure:

1. <Client-IP> <Server-IP> WEBDAV WEBDAV:Request, PROPFIND /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}

2. <Client-IP> <Server-IP> WEBDAV WEBDAV:HTTP Payload, URL: /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}

3. <Server-IP> <Client-IP> TCP TCP:Flags=...A.R.., SrcPort=HTTP(80), DstPort=1137, PayloadLen=0, Seq=1075661931, Ack=4049054406, Win=64240 (scale factor 0x0) = 64240 {TCP:2, IPv4:1}

4. <Client-IP> <Server-IP> TCP TCP:Flags=......S., SrcPort=1138, DstPort=HTTP(80), PayloadLen=0, Seq=1032908784, Ack=0, Win=64240 ( ) = 64240 {TCP:4, IPv4:1}

5. <Server-IP> <Client-IP> TCP TCP:Flags=...A..S., SrcPort=HTTP(80), DstPort=1138, PayloadLen=0, Seq=4184445498, Ack=1032908785, Win=8192 ( Scale factor not supported ) = 8192 {TCP:4, IPv4:1}

6. <Client-IP> <Server-IP> TCP TCP:Flags=...A...., SrcPort=1138, DstPort=HTTP(80), PayloadLen=0, Seq=1032908785, Ack=4184445499, Win=64240 (scale factor 0x0) = 64240 {TCP:4, IPv4:1}

Packet # 4 is an actual differentiator.

Does anybody had that issue or know the solution?

I found one mentioning of that error with that assessment: "Older firewall/proxies do not understand the WebDAV related HTTP requests for accessing Subversion using HTTP URL"

in that post https://groups.google.com/forum/?fromgroups=#!msg/google-code-hosting/FxpUkunjoYw/vjl7gejX0GcJ

But not any helpful tips.

http inspect in ASA 5510 messes up svn authentication

patoberli — Wed, 15 May 2013 14:10:40 GMT

See here on how the inspect actually works (for version 8.2) and maybe you find the reason why it gets blocked:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1735782

topic http inspect in ASA 5510 messes up svn authentication in Network Security

http inspect in ASA 5510 messes up svn authentication

http inspect in ASA 5510 messes up svn authentication