Solved: Re: ASA5550 Blocks Streaming only to SmartTV

zachrhart@gmail.com · ‎09-16-2019

I recently purchased a pair of ASA 5550's to upgrade my home network since I have a Gig line but the 3900 I've been using as my boundary firewall throttles filtered traffic at about 150Mbps. I *thought* the 5550s would be very similar to routers--they are not (but that has been discussed to death, I learned). I got my first 5550 up and working correctly. All services run where they're supposed to (I still need to do some port mapping for my xbox live service, and I never did get PAT to work via ASDM I just had to go wing it in the command line), except for ONE. My Roku SmartTV can't stream any media, however a "connection test" shows that it is online and receiving packets (self-reported by the device). Here's the extra weird part: Netflix, HBO Go, and Amazon Prime (my 3 streaming services) all work flawlessly and FAST on every PC and Laptop, and the xbox, plugged into the network (I've tested on about 5 devices, all plugged into the same switch, VLAN, and subnet as the TV). It appears to ONLY effect the smart TV, but the smart TV is still online(?!). The Sharp/Roku website for network support is a joke, and I certainly can't find any information about the ports used by the apps--but everything I can find about Netflix says that 80 and 443 are all netflix uses, and I can't imagine it would be different for the SmartTV app? I've posted the running config below with sensitive data omitted. You'll see a bit of a cluster of network objects from when I was fighting with ASDM, but most of them are idle and just need to be deleted--they aren't effecting connectivity or even in use. You'll also see where I tried to whitelist the netflix domain, hoping that it was just a zone security issue, but that has not helped. For obvious reasons, I would like to run my entire LAN through the firewall and not have to route around the security appliance for my tv (or any other smart appliances that come online). I'm also open to any feedback on the config or what services I should set up next, as this is my first ASA and it's still highly experimental on my network. Thanks!

: Serial Number: [omitted]
: Hardware: ASA5550, 4096 MB RAM, CPU Pentium 4 3000 MHz
:
ASA Version 9.1(7)32
!
hostname ciscoasa
enable password [omitted] encrypted
names
!
interface GigabitEthernet0/0
nameif LAN-PORT
security-level 100
ip address 10.1.1.2 255.255.255.252
!
interface GigabitEthernet0/1
shutdown
nameif EIGRP/SSH-PORT
security-level 100
ip address 172.18.1.1 255.255.255.252
hello-interval eigrp 100 1
hold-time eigrp 100 3
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 10.0.0.1 255.255.255.252
!
interface GigabitEthernet1/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
nameif ISP-PORT
security-level 0
ip address dhcp setroute
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
same-security-traffic permit intra-interface
object network LAN_NET
host 10.10.10.0
object network LAN_ACCESS
subnet 10.10.10.0 255.255.255.0
object network ROUTER_NET
subnet 10.1.1.0 255.255.255.252
object network LOCAL_LAN
subnet 10.10.10.0 255.255.255.0
description USER_VLAN
object network MAIN_ROUTER
host 10.1.1.1
object network USER_VLAN
subnet 10.10.10.0 255.255.255.0
object network Router
host 10.1.1.1
object network Xbox_Ports_53_tcp
host 10.1.1.1
description XBOX Services Ports
object network Netflix
fqdn v4 netflix.com
description Netflix rule because it broke things
object network Netflix1
fqdn v4 www.netflix.com
access-list ISP-PORT_access_in extended permit ip object Netflix any
access-list ISP-PORT_access_in extended permit ip object Netflix1 any
pager lines 24
logging asdm informational
mtu management 1500
mtu EIGRP/SSH-PORT 1500
mtu LAN-PORT 1500
mtu ISP-PORT 1500
ip verify reverse-path interface ISP-PORT
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,ISP-PORT) source dynamic any interface
access-group ISP-PORT_access_in in interface ISP-PORT
!
router eigrp 100
no auto-summary
network 0.0.0.0 0.0.0.0
passive-interface EIGRP/SSH-PORT
passive-interface management
passive-interface ISP-PORT
!
route ISP-PORT 0.0.0.0 0.0.0.0 [omitted] 1
route LAN-PORT 10.10.10.0 255.255.255.0 10.1.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.0.0.0 255.255.255.252 management
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 172.18.1.0 255.255.255.252 EIGRP/SSH-PORT
ssh 10.1.1.0 255.255.255.252 LAN-PORT
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access EIGRP/SSH-PORT
dhcp-client client-id interface ISP-PORT
dhcpd address 10.0.0.2-10.0.0.2 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.[omitted] source LAN-PORT
username [omitted] password [omitted] encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:[omitted]
: end

zachrhart@gmail.com · ‎09-18-2019

Per your instructions I ran an asp-drop capture. Sorry to say that just spits out the frames at the hex level, and didn't have especially useful information. After spinning through the frames I did a little research and solved the problem. I actually had to enable system logging and set the logging sensativity so that I could pull syslogs out of the buffer and compare the syslog codes to the index at:

https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs3.html?bookSearch=true#con_4771036

I've marked out the steps here for posterity in case anyone has a similar issue.

From global config:

logging buffered 7

logging enable

(run the interefered service and)

show logging / show logging asdm

When I read through the system logs and looked up the codes I got TONS of log hits in the:

305011, 302013, 305011, 305012, 302016, 302016 ranges

All of these syslogs are basically the same message--the TV is trying to write it's own NAT entries into the gateway! MOST horrifying of all:

302020, 302021 are syslogs that recurred every 50-100 NAT entries to try and build ICMP tunnels into the network. Could be innocuous, could be ICMP messages that fly around the network and gather information about who-knows what.

Needless to say I consider this issue resolved. The ASA is blocking my TV because it's trying to do it's own port-mapping in the internet gateway. I will likely isolate the television in it's own VLAN and make a tunnel straight to the providers appliance (Keeping it on the OUTSIDE interface of my security appliance). It can map all the ports and send all the ICMP messages that it wants on the provider's gear.

If anyone finds this thread in the future, be very leery of Sharp Roku tvs!!!

Thanks for the help, all.

View solution in original post

Sheraz.Salim · ‎09-16-2019

wow you have alot of money :)

you dont need these commands

!

access-list ISP-PORT_access_in extended permit ip object Netflix any
access-list ISP-PORT_access_in extended permit ip object Netflix1 any
access-group ISP-PORT_access_in in interface ISP-PORT

!

as you are doing a dynamic nat from inside(100) to outside(0) the above command are not useful to you.

!

no access-list ISP-PORT_access_in extended permit ip object Netflix any
no access-list ISP-PORT_access_in extended permit ip object Netflix1 any
no access-group ISP-PORT_access_in in interface ISP-PORT

!

please do not forget to rate.

zachrhart@gmail.com · ‎09-16-2019

Haha I'm actually just very skilled a scouring ebay, and have very few other hobbies to dump my money into. :P

The commands you referenced are my whitelist commands--I wanted to see if whitelisting the FQDN in on the ISP interface would possibly help Netflix to run on the smart TV (it was a hail mary--I was out of other troubleshooting ideas), but it made no difference. I'll scrap the commands, but that doesn't help streaming services run to my smart tv. Is there any known issues with smart appliances running streaming service through an ASA?

bhargavdesai · ‎09-17-2019

Some points for re-verification or ideas to look for.

Look at any configuration on the Switch port connected to TV and also verify the Wi-Fi Configuration of the TV.
Check the IP and default Gateway of the TV. (Gateway should forward traffic towards ASA).
I would also like you to look at the live logs on ASA while you surf/stream content on TV that may give you some idea.
You can also capture packets on ASA.

Do you see any drops or any unusual thing.

HTH

zachrhart@gmail.com · ‎09-17-2019

I went back and checked the live logs and ran a show asp drop after clear asp drop.

This TV is kicking out HUNDREDS of FP L2 rule drop violations per minute. I'd say we've found the culprit (according the Cisco ASA Command Reference): "FP L2 rule Drop: This counter will increment when the appliance denies a packet due to a layer-2 ACL. By default, in routed mode the appliance will PERMIT:

IPv4 packets

IPv6 packets

ARP Packets

L2 Destination MAC of FFFF:FFFF:FFFF

IPv4 MCAST Packet...

IPv6 MCAST Packet..."

So the next question is--what sort of L2 violation is the TV throwing, How do I find it, and how do I modify the L2 ACL to permit the traffic (or should I???)

bhargavdesai · ‎09-18-2019

Good that we have something to work with.

This is new for me too and to be honest I have no experience with TV/Streaming or IoT as such but as a network guy i would recommend that first we should know what kind of traffic it is and then if it looks good i would permit it. And why it is drop, the specific reason, i would like to know.

Now what is next, Capture packets and see what packets are saying and why ASA is dropping the same. It may reveal the reason behind the drop and you can analyse the capture file in packet analyser.

capture asp-drop type asp-drop all
sh capture asp-drop

For more details on packet capture visit.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118097-configure-asa-00.html

It would be great if you can post some live logs, packet capture and asp drop logs, it may be helpful for others too.

HTH

zachrhart@gmail.com · ‎09-18-2019