cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


269
Views
0
Helpful
4
Replies
Beginner

Webex issues consistent through ASA firewalls

 Hi all,

I got a client and they use Webex stations and Webex apps on PC-s.

They got fibre service, yet performance is poor most of the time.

Read an article about allowing outbound UDP 9000 through the firewall, but implicit policies are in place, so all traffic allowed from inside to the outside.

Other apps like Skype and TeamViewer, have no issues on the same PC-s and network. All hosts hardwired (no WiFi in use)

 

I'm getting confused as to what could be the issue, especially that I can't see UDP 9000 used on the PC (in netstat -an command),

however, there is session on each site ASA using both UDP 9000 and TCP 443, both sessions incrementing packets...

Wonder if anyone had similar experience?

I'll have to digest the configuration, I'll paste it later, but for now,

Here are the sessions from two different branches:

ASA5516X-FW01/act# sh conn | inc 10.7.10.87
...
TCP OUTSIDE 188.172.208.138:5938 INSIDE 10.7.10.87:49462, idle 0:00:20, bytes 191513, flags UxIOX
UDP OUTSIDE 114.29.192.95:9000 INSIDE 10.7.10.87:60573, idle 0:00:00, bytes 9849856, flags X
UDP OUTSIDE 114.29.192.95:9000 INSIDE 10.7.10.87:64336, idle 0:00:00, bytes 201397360 , flags X
TCP OUTSIDE 114.29.192.95:443 INSIDE 10.7.10.87:51560, idle 0:00:00, bytes 672621, fl ags UxIO

 

B-ASA5516X-FW01/act# sh conn | inc 10.2.1.249
...
UDP OUTSIDE 114.29.192.95:9000 INSIDE 10.2.1.249:61169, idle 0:00:00, bytes 1802320, flags X
UDP OUTSIDE 114.29.192.95:9000 INSIDE 10.2.1.249:51851, idle 0:00:00, bytes 324618730, flags X
TCP OUTSIDE 114.29.192.95:443 INSIDE 10.2.1.249:53553, idle 0:00:02, bytes 1107153, flags UxIO

 

 

Everyone's tags (2)
4 REPLIES 4
Beginner

Re: Webex issues consistent through ASA firewalls

And here is the relevant config...

Please let me know of any thoughts?

Beginner

Re: Webex issues consistent through ASA firewalls

Sorry, my bad, wrong file.

Here is the config file attached.

Highlighted
Contributor

Re: Webex issues consistent through ASA firewalls

Flag X indicates that the flow is handled by Firepower module so you should check it. If no clues, try excluding this port from the service module inspection ACL.

Beginner

Re: Webex issues consistent through ASA firewalls

Thanks Peter,

 

I've excluded Webex traffic from FirePower inspection, yet the problems remained.

I did packet-trace command on typical Webex connection and confirmed it wasn't sent to IPS policy for inspection...

Any more ideas? Do you think there's much difference in using implicit allow (for traffic initiated from higher security level to lower) and explicitly defining Webex traffic (Network Objects - Webex URL-s and public IP-s, as well as UDP/TCP ports)?

 

Thanks,

Alex