Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1030
Views
0
Helpful
1
Replies

http inspect in ASA 5510 messes up svn authentication

vladimirtch
Level 1
Level 1

‎05-14-2013 01:07 PM - edited ‎03-11-2019 06:43 PM

I have a strange problem in my ASA 5510 firewall. I turned on http inspect policy to block certain URLs, but that destroyed svn communication. Interestingly, if I use simple web-browser to access svn server - it works, but any svn-client requests fail with an error "Could not read status line: An existing connection was forcibly closed by the remote host". I did some packet sniffing, and discovered that with http inspect off the WebDAV request is answered, but with http inspect on it is rejected with an error unauthorized. Here are examples of success and failed conversation packets:

Success:

1. <Client-IP> <Server-IP> WEBDAV WEBDAV:Request, PROPFIND /svn/repos/myrepo/trunk  {HTTP:3, TCP:2, IPv4:1}

2. <Client-IP> <Server-IP> WEBDAV WEBDAV:HTTP Payload, URL: /svn/repos/myrepo/trunk  {HTTP:3, TCP:2, IPv4:1}

3. <Server-IP> <Client-IP> TCP TCP:Flags=...A...., SrcPort=HTTP(80), DstPort=58882, PayloadLen=0, Seq=4139355337, Ack=3464798063, Win=258 (scale factor 0x8) = 66048 {TCP:2, IPv4:1}

4. <Server-IP> <Client-IP> WEBDAV WEBDAV:Response, HTTP/1.1, Status: UNHANDLED HTTP Status Code, URL: /svn/repos/myrepo/trunk  {HTTP:3, TCP:2, IPv4:1}

Failure:

1. <Client-IP> <Server-IP> WEBDAV WEBDAV:Request, PROPFIND /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}

2. <Client-IP> <Server-IP> WEBDAV WEBDAV:HTTP Payload, URL: /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}

3. <Server-IP> <Client-IP> TCP TCP:Flags=...A.R.., SrcPort=HTTP(80), DstPort=1137, PayloadLen=0, Seq=1075661931, Ack=4049054406, Win=64240 (scale factor 0x0) = 64240 {TCP:2, IPv4:1}

4. <Client-IP> <Server-IP> TCP TCP:Flags=......S., SrcPort=1138, DstPort=HTTP(80), PayloadLen=0, Seq=1032908784, Ack=0, Win=64240 ( ) = 64240 {TCP:4, IPv4:1}

5. <Server-IP> <Client-IP> TCP TCP:Flags=...A..S., SrcPort=HTTP(80), DstPort=1138, PayloadLen=0, Seq=4184445498, Ack=1032908785, Win=8192 ( Scale factor not supported ) = 8192 {TCP:4, IPv4:1}

6. <Client-IP> <Server-IP> TCP TCP:Flags=...A...., SrcPort=1138, DstPort=HTTP(80), PayloadLen=0, Seq=1032908785, Ack=4184445499, Win=64240 (scale factor 0x0) = 64240 {TCP:4, IPv4:1}

Packet # 4 is an actual differentiator.

Does anybody had that issue or know the solution?

I found one mentioning of that error with that assessment: "Older firewall/proxies do not understand the WebDAV related HTTP requests for accessing Subversion using HTTP URL"

in that post https://groups.google.com/forum/?fromgroups=#!msg/google-code-hosting/FxpUkunjoYw/vjl7gejX0GcJ

But not any helpful tips.

Labels:
0 Helpful
1 Reply 1

patoberli
VIP Alumni
VIP Alumni

‎05-15-2013 07:10 AM

See here on how the inspect actually works (for version 8.2) and maybe you find the reason why it gets blocked:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1735782

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card