topic Re: Problems with HTTP/HTTPS sites through ASA in Network Security

Problems with HTTP/HTTPS sites through ASA

Federico Coto Fajardo — Mon, 11 Mar 2019 17:17:18 GMT

Hi,

This is a strange situation.

I cannot open some web pages on the Internet through the ASA. If I bypass the ASA I can open all the pages.

There's no HTTP inspection on the ASA enabled.

I am attaching the configuration.

I am attaching a capture I did on port 80 getting to a specific page fantasy.footbo.com

This particular page (and some others) I cannot open them through the ASA, but can open them bypassing the ASA.

pcap1 is the capture from my local machine 172.16.24.150 to the page (applied to the inside interface)

pcap 2 is the capture from the NATed address to the page (applied to the outside interface)

I try reading the captures in Wireshark and it seems to be that my machine sends the SYN request, but never get a response from the server.

Why could this be?

Can I get some help in getting more information from the captures or what other troubleshooting steps can I do to resolve this?

Note: When I open the pcaps in Wireshark I get the following message: ''The capture file appears to have been cut short in the middle of a packet''

These are the commands that I've used for the captures:

CAPTURE INSIDE INTERFACE
access-list http-outbound-inside permit tcp host 172.16.24.150 host 79.125.22.215 eq 80
access-list http-outbound-inside permit tcp host 79.125.22.215 eq 80 host 172.16.24.150
capture http-outbound-inside access-list http-outbound-inside interface inside trace buffer 20000000

CAPTURE OUTSIDE INTERFACE
access-list http-outbound-outside permit tcp host 200.122.131.5 host 79.125.22.215 eq 80
access-list http-outbound-outside permit tcp host 79.125.22.215 eq 80 host 200.122.131.5
capture http-outbound-outside access-list http-outbound-outside interface outside trace buffer 20000000

Local machine: 172.16.24.150

Resolved IP for fantasy.footbo.com = 79.125.22.215

NATed address: 200.122.131.5

Also, I've tried changing my public IP address, and I get the same result.

For instance:

nat (inside) 20 172.16.24.150 255.255.255.255

global (outside) 20 interface

Also, I tried to access the pages from another ASA with similar configuration, and I do get the pages (so I know it's not a default behavior on the ASA with particular sites).

When I do a traceroute I do get out of my network to the Internet, so I don't see how it is an internal problem.

C:\Users\fcoto>tracert fantasy.footbo.com

Tracing route to 11kicks-1164740758.eu-west-1.elb.amazonaws.com [79.125.22.215]
over a maximum of 30 hops:

1     1 ms     1 ms     1 ms 172.16.24.2
2     1 ms    <1 ms     1 ms 200.122.131.1
3     1 ms     1 ms     1 ms 201.193.214.125
4     1 ms     2 ms     1 ms 201.193.215.29
5     3 ms     5 ms     6 ms 201.193.89.97
6    43 ms    44 ms    42 ms sl-st21-mia-14-1-0.sprintlink.net [144.223.245.1
33]
7    43 ms    43 ms    43 ms sl-crs2-mia-0-3-0-3.sprintlink.net [144.232.2.24
1]
8    99 ms    86 ms    67 ms sl-crs2-dc-0-12-0-0.sprintlink.net [144.232.9.27
]
9    66 ms    66 ms    66 ms sl-st22-ash-12-0-0.sprintlink.net [144.232.9.123
]
10    66 ms    67 ms    66 ms sl-tisca1-272901-0.sprintlink.net [144.223.246.9
8]
11   162 ms   166 ms   167 ms so-1-0-0.dub10.ip4.tinet.net [89.149.187.1]
12   167 ms   168 ms   166 ms amazon-ireland-gw.ip4.tinet.net [213.200.67.30]

13   153 ms   152 ms   162 ms 87.238.85.12
14     *        *        *     Request timed out.
15     *        *        *     Request timed out.
16     *        *     ^C
C:\Users\fcoto>

The only thing that I can think of is that those sites that we cannot reach do not want us for some reason, like they have our IP blocked.

But I can't just remove the ASA.

Any suggestions are appreciated!!!

Federico.

Re: Problems with HTTP/HTTPS sites through ASA

Diego Armando Cambronero Arias — Wed, 03 Mar 2010 20:57:53 GMT

Hola,

I'm almost sure that this is an issue due of the MSS being exceeded,

Clear the asp table with the command: Clear asp drop. Then try to access one of those websites and check if the MSS counter is incrementing or if the out-of-order counters are incrementing. THis is the configurationg required to fix your issus

Pixfirewall(config)#access-list http-list2 permit tcp any any

pixfirewall(config)#
pixfirewall#configure terminal
pixfirewall(config)#
pixfirewall(config)#class-map http-map1
pixfirewall(config-cmap)#match any
pixfirewall(config-cmap)#exit
pixfirewall(config)#tcp-map mss-map
pixfirewall(config-tcp-map)#exceed-mss allow
pixfirewall(config-tcp-map)#exit
pixfirewall(config)#policy-map http-map1
pixfirewall(config-pmap)#class http-map1
pixfirewall(config-pmap-c)#set connection advanced-options mss-map
pixfirewall(config-pmap-c)#exit
pixfirewall(config-pmap)#exit
pixfirewall(config)#service-policy http-map1 global
pixfirewall#

Please try it and let me know.

Link: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml

Saludos Fede

Re: Problems with HTTP/HTTPS sites through ASA

Diego Armando Cambronero Arias — Wed, 03 Mar 2010 20:59:26 GMT

You can also try to create a capture for asp. (all)

and check why this is happening.

Regards,

Re: Problems with HTTP/HTTPS sites through ASA

Kureli Sankar — Wed, 03 Mar 2010 21:07:18 GMT

I looked at the captures there is no response coming back from 79.125.22.215. This is not the firewall's problem.

You are probably seeing syn timeout messages on the syslogs when this flow works.

Pls. talk to the website admins and ask them if they see your SYNs making to their server and why their server does not respond.

Or get your ISP involved as ask them if they see response arriving from this website but, are not being handed to the ASA's outside interface.

-KS

Re: Problems with HTTP/HTTPS sites through ASA

Federico Coto Fajardo — Wed, 03 Mar 2010 21:09:07 GMT

I am going to try that, but when I apply the service-policy:

service-policy http-map1 global

It says that the global_policy is already applied.

So, how do I apply this service-policy without removing the global-policy? Can I nested inside the global_policy policy map?

Pleas let me know how to do it.

Federico.

Re: Problems with HTTP/HTTPS sites through ASA

Federico Coto Fajardo — Wed, 03 Mar 2010 21:15:21 GMT

Kusankar,

You're right with that one.

Please take a look a these captures that I'm attaching now.

Both belong to a capture accesing two pages:

me.com

11kicks.com

The capture going to me.com, show a FIN-ACK after getting a weird message.

The capture going to 11kicks.com shows a redirect message.

I cannot access both of these pages through the ASA also, but the outputs of the captures are different.

Please let me know what could be going on.

Federico.

Re: Problems with HTTP/HTTPS sites through ASA

Diego Armando Cambronero Arias — Wed, 03 Mar 2010 21:22:08 GMT

kusankar might be right. But this is working when you bypass the ASA right?

Is this issue happening with all HTTP and HTTPS traffic? if t's you might contact your ISP but if the issue is happening with only some specific host try to get the capture for ASP while you try to access one of those sites.

Re: Problems with HTTP/HTTPS sites through ASA

Diego Armando Cambronero Arias — Wed, 03 Mar 2010 21:24:22 GMT

pixfirewall(config)#capture test type asp-drop all

Show cap test

Re: Problems with HTTP/HTTPS sites through ASA

Federico Coto Fajardo — Wed, 03 Mar 2010 21:26:21 GMT

The problem we're seeing it only for some specific sites.

I want to take the ASA out of the picture of the problem.

I did the mss, and I can get to me.com, but I'm still having problems with other pages.

I attached the captures for 11kicks.com for example.

We can get perfectly to that page bypassing the ASA, but not through the ASA.

The ISP is not much of a help down here 😞

Federico.

Re: Problems with HTTP/HTTPS sites through ASA

Diego Armando Cambronero Arias — Wed, 03 Mar 2010 21:29:28 GMT

Sure you should use the current Policy as well the current service policy

Pixfirewall(config)#access-list http-list2 permit tcp any any

pixfirewall(config-pmap)#class http-map1
pixfirewall(config-pmap-c)#set connection advanced-options mss-map
pixfirewall(config-pmap-c)#exit
pixfirewall(config-pmap)#exit

The service policy is already applied so you do not have to apply it again.

Re: Problems with HTTP/HTTPS sites through ASA

Diego Armando Cambronero Arias — Wed, 03 Mar 2010 21:35:26 GMT

Where are you from federico?

Get the captures for asp that will be very helpful.

of course try to get access to one of those dammed websites while doing the capture.

Re: Problems with HTTP/HTTPS sites through ASA

Federico Coto Fajardo — Wed, 03 Mar 2010 21:35:32 GMT

Thank you, this is the pcap for the 11kicks.com site through the ASA after adjusting the mss.

As I said, this site works perfectly without going through the ASA, but not through the ASA.

C:\Users\fcoto>nslookup 11kicks.com
Server: dc2000.ln.corp.nacion.com
Address: 172.16.24.17

Non-authoritative answer:
Name: 11kicks.com
Address: 77.67.52.163

Federico.

Re: Problems with HTTP/HTTPS sites through ASA

Diego Armando Cambronero Arias — Wed, 03 Mar 2010 21:40:41 GMT

Is it the ASP Drop Capture?

send us the current config again please.

Re: Problems with HTTP/HTTPS sites through ASA

Diego Armando Cambronero Arias — Wed, 03 Mar 2010 21:42:34 GMT

Are u from Costa Rica. I'm From CR too.

Re: Problems with HTTP/HTTPS sites through ASA

Federico Coto Fajardo — Wed, 03 Mar 2010 21:47:18 GMT

Thought you were from C.R... yes I'm from C.R!

Here's the current config. And yes, those are the asp drop captures.

Federico.

Re: Problems with HTTP/HTTPS sites through ASA

Diego Armando Cambronero Arias — Wed, 03 Mar 2010 21:51:03 GMT

my msn is diegocambronero@hotmail.com

Re: Problems with HTTP/HTTPS sites through ASA

Federico Coto Fajardo — Wed, 03 Mar 2010 21:54:14 GMT

Thank you!

I'll add you in a moment...

I sent you the current config and the ASP drops.

Federico.

Re: Problems with HTTP/HTTPS sites through ASA

Federico Coto Fajardo — Thu, 04 Mar 2010 00:55:33 GMT

Hi,

It is not easy to see the results on the ''sh asp drop'' because there's too much traffic passing through the ASA and if I clear the asp drop table, and I attempt to connect to any of those websites, then I check the ''sh asp drop'' again, and all the counters incremented in some way.

Is there another way to look at the asp drop behavior in a more specific way?

Thank you,

Federico.

Re: Problems with HTTP/HTTPS sites through ASA

Federico Coto Fajardo — Mon, 08 Mar 2010 15:54:41 GMT

Hi Diego,

Thank you for all your help.

We've found out that the ASA is not the problem since we connected a computer to the external switch (where the outside IP of the ASA is connected), give it a public IP of the same range and the problem persisted with the pages.

When I said that bypassing the ASA we did not experience the problem, was because on the same location we had an ADSL connection (with a total different range of public IPs).

If we try getting to those pages from the same range of IPs of the ASA (even bypassing the ASA), the problem persisted.

This tell us that the problem has to be with the public IPs definitely correct?

The ISP is no help at all!

Federico.

Re: Problems with HTTP/HTTPS sites through ASA

Kureli Sankar — Mon, 08 Mar 2010 15:57:41 GMT

Correct.

-KS