topic Http Connection with Video Flow in Network Security

Http Connection with Video Flow

avburren1 — Mon, 11 Mar 2019 20:29:37 GMT

Hi,

I am using ASA 5510 and I have a specific problem with Http Connection to receive a video Flow ( RSTP protocol ) in the LAN.

Some Pc users (192.168.1.133,in the log) with ASA Lan Interface as gateway can ping the Camera but don't receveive the video flow.
Some Pc users (192.168.1.116,in the log) using another gateway can ping and receive the video flow.

I used Whireshark to capture traffic between camera and Pc using the 2 gateway. I joined Logs with this message.

It seems to be a problem of TCP segments on the ASA, I try to changed some TCP options but it's still the same:
- Disable Force Maximum Segment Size
- Enable Force TCP Connection to Linger in TIME_WAIT State for at Least 15 Second

Should I enable RSTP inspection for example ? Any Others Ideas?

Thank You

Re: Http Connection with Video Flow

Maykol Rojas — Thu, 05 May 2011 18:53:17 GMT

Hi,

Please disable HTTP inspection if enable and enable RTSP inspection.

Let me know how it goes.

Mike

Re: Http Connection with Video Flow

avburren1 — Thu, 05 May 2011 21:28:26 GMT

Http inspection is disabled and I rectify my first post , RTSP inspection is already enabled ...

Re: Http Connection with Video Flow

Maykol Rojas — Thu, 05 May 2011 21:37:02 GMT

Hi,

I think I didnt understand that, you put it on question marks, it sounded like you were asking. Now, is the service policy giving you any drops on the RTSP? What can you see on the logs? Were you able to put an asp drop capture to check if the ASA is dropping any packets?

Mike

Re: Http Connection with Video Flow

Maykol Rojas — Thu, 05 May 2011 21:39:07 GMT

Hi,

I saw the logs but those deny tcp no connections were when the connection was already torn down. Please gather the reason why the first connection is being torn down so we can correlate.

Cheers.

Mike

Re: Http Connection with Video Flow

avburren1 — Fri, 06 May 2011 09:53:16 GMT

That's why I ask here why the TCP connection doesn't work when PC use ASA Firewall as gateway whereas the ping is Ok.

Wireshark shows:

Acked Lost Segment / Broken TCP. The acknowledge field is nonzero while the ACK flag is not set

I was wondering if ASA had Security options with TCP connection which explain the deny traffic

Re: Http Connection with Video Flow

avburren1 — Fri, 06 May 2011 15:05:35 GMT

I just see a cisco documentation :

The following restrictions apply to the inspect rtsp command

• The security appliance does not have the ability to recognize HTTP cloaking where RTSP messages are hidden in the HTTP messages.

Could it be an explanation to the problem ?

Re: Http Connection with Video Flow

avburren1 — Wed, 11 May 2011 14:53:27 GMT

Nobody ?

I try to search other possibility :

When it works (pc using a different gateway), wireshark indicate this msg : Tcp segment of a reassembled PDU.
By default,Is the ASA accept and fragment frames larger than the MTU size ?

And what about the Timeout tcp-proxy-reassembly option ?

Thank you

Did you ever get an answer

Christopher Stock — Fri, 14 Nov 2014 15:32:55 GMT

Did you ever get an answer to this?

Thanks