topic Problem with Service Policy not applied on traffic... in Network Security

Problem with Service Policy not applied on traffic...

itr05Eurofins — Tue, 12 Mar 2019 01:15:29 GMT

Hi.

We have a quite new setup with ASA 5545-X and using it for WAN-firewalling to protect our Datacenter from the rest of our organization.
We have had trouble with specific Oracle-traffic from one site that gets broken down after 1 hour of idle time in the client-application.
What I would like to do is to raise the Timeout-value to 8 hours for traffic to that specific Oracle host from the problematic site.

The Orcale host has this "fake" IP 192.168.101.100 (Destination_Host)
And the site with problem has this "fake" IP-network: 192.168.102.0/24 (Source_Network)

The source and destination are on different interfaces.

Could anyone advice me what's wrong in this configuration?
Because when I run a Packet Trace in ASDM it doesn't show any trace of hitting this specific Class (Specific_Host_Traffic) and corresponding Class-Map. The config is made from ASDM.

Thanks!
/Gustaf

object network Source_Network
subnet 192.168.102.0 255.255.255.0
object network Destination_Host
host 192.168.101.100

access-list global_mpc extended permit ip object Source_Network object Destination_Host

class-map inspection-default
class-map Specific_Host_Traffic
match access-list global_mpc
class-map inspection_default
match default-inspection-traffic
class-map netflow
match any
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global-policy
policy-map global_policy
class Specific_Host_Traffic
set connection timeout idle 8:00:00
class inspection_default
inspect dcerpc
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
class class-default
set connection decrement-ttl
!
service-policy global_policy global

Message was edited by: Morten Sandholdt

Problem with Service Policy not applied on traffic...

jocamare — Mon, 18 Mar 2013 20:17:10 GMT

Can you try to create a specific Access-list only for this traffic? Get it out of the "global_mpc" group.

Do a "show local X.X.X.X" where X.X.X.X is the internal IP of the host from the internal network and confirm that t is connecting to 192.168.101.100.

Problem with Service Policy not applied on traffic...

itr05Eurofins — Mon, 18 Mar 2013 22:16:11 GMT

How do you mean with " try to create a specific Access-list only for this traffic? Get it out of the "global_mpc" group"?

I did it through ASDM so I'm not a master in CLI.

I did see the traffic being built and also getting torn down in the Logs. So I'm convinced it's the correct addresses.

Any other ideas?

/Gustaf

Problem with Service Policy not applied on traffic...

julomban — Mon, 18 Mar 2013 22:23:05 GMT

Morten,

Can you do a second ACL in teh opposite way?

access-list global_mpc extended permit ip object Destination_Host object Source_Network

If possible, please also share the logs.

Regards,

Juan Lombana

Please rate helpful posts.

Problem with Service Policy not applied on traffic...

jocamare — Tue, 19 Mar 2013 00:55:44 GMT

I mean that we can create a unique set of Access-lists just for the traffic we want to match.

[first and only rule]

access-list IDLE-T extended permit ip object Source_Network object Destination_Host

class-map Specific_Host_Traffic

match access-list IDLE-T

policy-map global_policy

class Specific_Host_Traffic

set connection timeout idle 8:00:00

Can you still share the output of the "show local X.X.X.X details" command? It can be used to confirm the values we are configuring.

Problem with Service Policy not applied on traffic...

itr05Eurofins — Tue, 19 Mar 2013 07:40:45 GMT

Hi. Thanks for the replies.

Havn't had the possibility to change the ACL yet. Will do tonight.

Here is an output from show local with the current config:

Result of the command: "show local 192.168.102.7 detail"

Interface WAN-MPLS-Links: 1962 active, 3253 maximum active, 0 denied
local host: <192.168.102.7>,
    TCP flow count/limit = 13/unlimited
    TCP embryonic count to host = 0
    TCP intercept watermark = unlimited
    UDP flow count/limit = 1/unlimited

Conn:
TCP WAN-MPLS-Links: 192.168.102.7/63799 WAN-L2-R5-Links: 192.168.101.100/1526,
flags UIOB , idle 25m20s, uptime 25m21s, timeout 1h0m, bytes 4452

TCP WAN-MPLS-Links: 192.168.102.7/63795 WAN-L2-R5-Links: 192.168.101.100/1526,
flags UIOB , idle 3m14s, uptime 25m38s, timeout 1h0m, bytes 367567

Problem with Service Policy not applied on traffic...

itr05Eurofins — Tue, 19 Mar 2013 07:43:52 GMT

Hi again.

Just wanted to inform that we don't have any other rules/ACLs/ACEs for global_mpc.

We haven't used it before so it's just that rule above. Nothing more.

/Gustaf

Re: Problem with Service Policy not applied on traffic...

jocamare — Wed, 20 Mar 2013 02:35:54 GMT

One more thing,

Mind posting the output of the "show service-policy" command from the unit?

The configuration as it is should work and the output of the "show local" command should be showing 8 hrs instead of 1.

Problem with Service Policy not applied on traffic...

itr05Eurofins — Fri, 22 Mar 2013 06:51:21 GMT

Hi.

Here is the output from "show service-policy":

Result of the command: "sh service-policy"

Global policy:
Service-policy: global_policy
    Class-map: Oracle-DK09
      Set connection policy:         drop 0
      Set connection timeout policy:
        idle 8:00:00
        DCD: disabled, retry-interval 0:00:15, max-retries 5
        DCD: client-probe 0, server-probe 0, conn-expiration 0
    Class-map: inspection_default
      Inspect: dcerpc, packet 8557686, lock fail 0, drop 1511, reset-drop 0, v6-fail-close 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: ftp, packet 385738, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
      Inspect: h323 h225 _default_h323_map, packet 4, lock fail 0, drop 0, reset-drop 1, v6-fail-close 0
               tcp-proxy: bytes in buffer 0, bytes dropped 133
      Inspect: h323 ras _default_h323_map, packet 3, lock fail 0, drop 3, reset-drop 0, v6-fail-close 0
      Inspect: ip-options _default_ip_options_map, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
      Inspect: rsh, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
      Inspect: rtsp, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: sip , packet 884, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: skinny , packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: sqlnet, packet 20344251, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
      Inspect: sunrpc, packet 166, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: tftp, packet 1020838, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
      Inspect: xdmcp, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
    Class-map: class-default

Default Queueing Set connection policy: drop 0
Set connection decrement-ttl

/Gustaf

Problem with Service Policy not applied on traffic...

jocamare — Fri, 22 Mar 2013 23:19:17 GMT

Ok, it just looks like it is not matching the class-map we created for it.

Try this:

Let's remove the policy-map and apply it again.

no service-policy global_policy global

service-policy global_policy global

Then, let's clear all the connections going to "192.168.101.100".

"Clear local 192.168.101.100"

That should do it.

Problem with Service Policy not applied on traffic...

itr05Eurofins — Sun, 24 Mar 2013 22:45:26 GMT

Hi again.

Ok, I will test that. So if I run

no service-policy global_policy global

there is no risk that the configurations regarding the service-policys gets removed?

I run version 9.1.1.

Just want's to be sure.

/Gustaf

Problem with Service Policy not applied on traffic...

jocamare — Sun, 24 Mar 2013 22:49:45 GMT

The configurations will remain, they will just won't be applied to the traffic while the command is off.

Won't cause any problems, it might actually fix'em.

Problem with Service Policy not applied on traffic...

itr05Eurofins — Tue, 02 Apr 2013 06:51:43 GMT

Hi jocamare!

Big Thanks!

After

no service-policy global_policy global

service-policy global_policy global

Clear local 192.168.101.100

It Works!