Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1707
Views
0
Helpful
4
Replies

Webex issues consistent through ASA firewalls

aleksa
Level 1
Level 1

‎07-31-2019 06:57 AM - edited ‎02-21-2020 09:21 AM

 Hi all,

I got a client and they use Webex stations and Webex apps on PC-s.

They got fibre service, yet performance is poor most of the time.

Read an article about allowing outbound UDP 9000 through the firewall, but implicit policies are in place, so all traffic allowed from inside to the outside.

Other apps like Skype and TeamViewer, have no issues on the same PC-s and network. All hosts hardwired (no WiFi in use)

 

I'm getting confused as to what could be the issue, especially that I can't see UDP 9000 used on the PC (in netstat -an command),

however, there is session on each site ASA using both UDP 9000 and TCP 443, both sessions incrementing packets...

Wonder if anyone had similar experience?

I'll have to digest the configuration, I'll paste it later, but for now,

Here are the sessions from two different branches:

ASA5516X-FW01/act# sh conn | inc 10.7.10.87
...
TCP OUTSIDE 188.172.208.138:5938 INSIDE 10.7.10.87:49462, idle 0:00:20, bytes 191513, flags UxIOX
UDP OUTSIDE 114.29.192.95:9000 INSIDE 10.7.10.87:60573, idle 0:00:00, bytes 9849856, flags X
UDP OUTSIDE 114.29.192.95:9000 INSIDE 10.7.10.87:64336, idle 0:00:00, bytes 201397360 , flags X
TCP OUTSIDE 114.29.192.95:443 INSIDE 10.7.10.87:51560, idle 0:00:00, bytes 672621, fl ags UxIO

 

B-ASA5516X-FW01/act# sh conn | inc 10.2.1.249
...
UDP OUTSIDE 114.29.192.95:9000 INSIDE 10.2.1.249:61169, idle 0:00:00, bytes 1802320, flags X
UDP OUTSIDE 114.29.192.95:9000 INSIDE 10.2.1.249:51851, idle 0:00:00, bytes 324618730, flags X
TCP OUTSIDE 114.29.192.95:443 INSIDE 10.2.1.249:53553, idle 0:00:02, bytes 1107153, flags UxIO

 

 

0 Helpful
4 Replies 4

aleksa
Level 1
Level 1

‎07-31-2019 02:13 PM

And here is the relevant config...

Please let me know of any thoughts?

Preview file
1 KB
0 Helpful

aleksa
Level 1
Level 1
In response to aleksa

‎08-02-2019 02:48 AM

Sorry, my bad, wrong file.

Here is the config file attached.

Preview file
17 KB
0 Helpful

Peter Koltl
Level 7
Level 7

‎08-03-2019 12:50 PM

Flag X indicates that the flow is handled by Firepower module so you should check it. If no clues, try excluding this port from the service module inspection ACL.

0 Helpful

aleksa
Level 1
Level 1
In response to Peter Koltl

‎08-08-2019 02:38 PM

Thanks Peter,

 

I've excluded Webex traffic from FirePower inspection, yet the problems remained.

I did packet-trace command on typical Webex connection and confirmed it wasn't sent to IPS policy for inspection...

Any more ideas? Do you think there's much difference in using implicit allow (for traffic initiated from higher security level to lower) and explicitly defining Webex traffic (Network Objects - Webex URL-s and public IP-s, as well as UDP/TCP ports)?

 

Thanks,

Alex

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card