topic Re: Webex issues consistent through ASA firewalls in Network Security

Webex issues consistent through ASA firewalls

aleksa — Fri, 21 Feb 2020 17:21:36 GMT

Hi all,

I got a client and they use Webex stations and Webex apps on PC-s.

They got fibre service, yet performance is poor most of the time.

Read an article about allowing outbound UDP 9000 through the firewall, but implicit policies are in place, so all traffic allowed from inside to the outside.

Other apps like Skype and TeamViewer, have no issues on the same PC-s and network. All hosts hardwired (no WiFi in use)

I'm getting confused as to what could be the issue, especially that I can't see UDP 9000 used on the PC (in netstat -an command),

however, there is session on each site ASA using both UDP 9000 and TCP 443, both sessions incrementing packets...

Wonder if anyone had similar experience?

I'll have to digest the configuration, I'll paste it later, but for now,

Here are the sessions from two different branches:

ASA5516X-FW01/act# sh conn | inc 10.7.10.87
...
TCP OUTSIDE 188.172.208.138:5938 INSIDE 10.7.10.87:49462, idle 0:00:20, bytes 191513, flags UxIOX
UDP OUTSIDE 114.29.192.95:9000 INSIDE 10.7.10.87:60573, idle 0:00:00, bytes 9849856, flags X
UDP OUTSIDE 114.29.192.95:9000 INSIDE 10.7.10.87:64336, idle 0:00:00, bytes 201397360 , flags X
TCP OUTSIDE 114.29.192.95:443 INSIDE 10.7.10.87:51560, idle 0:00:00, bytes 672621, fl ags UxIO

B-ASA5516X-FW01/act# sh conn | inc 10.2.1.249
...
UDP OUTSIDE 114.29.192.95:9000 INSIDE 10.2.1.249:61169, idle 0:00:00, bytes 1802320, flags X
UDP OUTSIDE 114.29.192.95:9000 INSIDE 10.2.1.249:51851, idle 0:00:00, bytes 324618730, flags X
TCP OUTSIDE 114.29.192.95:443 INSIDE 10.2.1.249:53553, idle 0:00:02, bytes 1107153, flags UxIO

Re: Webex issues consistent through ASA firewalls

aleksa — Wed, 31 Jul 2019 21:13:39 GMT

And here is the relevant config...

Please let me know of any thoughts?

Re: Webex issues consistent through ASA firewalls

aleksa — Fri, 02 Aug 2019 09:48:11 GMT

Sorry, my bad, wrong file.

Here is the config file attached.

Re: Webex issues consistent through ASA firewalls

Peter Koltl — Sat, 03 Aug 2019 19:50:26 GMT

Flag X indicates that the flow is handled by Firepower module so you should check it. If no clues, try excluding this port from the service module inspection ACL.

Re: Webex issues consistent through ASA firewalls

aleksa — Thu, 08 Aug 2019 21:38:41 GMT

Thanks Peter,

I've excluded Webex traffic from FirePower inspection, yet the problems remained.

I did packet-trace command on typical Webex connection and confirmed it wasn't sent to IPS policy for inspection...

Any more ideas? Do you think there's much difference in using implicit allow (for traffic initiated from higher security level to lower) and explicitly defining Webex traffic (Network Objects - Webex URL-s and public IP-s, as well as UDP/TCP ports)?

Thanks,

Alex