09-10-2010 11:40 AM - edited 03-11-2019 11:38 AM
Im stumped! we have one website that we use ALL the time. Sometimes it works sometimes it doesnt.
www.cutr.usf.edu its a good URL it works on any other device not behind the ASA.
When we navigate to it, it displays 503 service unavailable Unable to connect to 131.247.19.33.
i can see it building and tearing down the connection. TCP FINs looks normal but this is what we get. It may work fine for a while then not. last time i started putting www in front of the url and now nothing works. Any ideas?
6 | Sep 10 2010 | 14:34:27 | 302014 | 131.247.19.33 | 80 | 192.168.1.36 | 5129 | Teardown TCP connection 11045881 for WAN:131.247.19.33/80 to LAN:192.168.1.36/5129 duration 0:00:00 bytes 277 TCP FINs |
6 | Sep 10 2010 | 14:34:27 | 302013 | 131.247.19.33 | 80 | 192.168.1.36 | 5129 | Built outbound TCP connection 11045881 for WAN:131.247.19.33/80 (131.247.19.33/80) to LAN:192.168.1.36/5129 (74.203.134.30/4520) |
6 | Sep 10 2010 | 14:34:27 | 305011 | 192.168.1.36 | 5129 | 74.203.134.30 | 4520 | Built dynamic TCP translation from LAN:192.168.1.36/5129 to WAN:74.203.134.30/4520 |
6 | Sep 10 2010 | 14:34:24 | 302014 | 131.247.19.33 | 80 | 192.168.1.36 | 5127 | Teardown TCP connection 11045875 for WAN:131.247.19.33/80 to LAN:192.168.1.36/5127 duration 0:00:00 bytes 277 TCP FINs |
6 | Sep 10 2010 | 14:34:24 | 302013 | 131.247.19.33 | 80 | 192.168.1.36 | 5127 | Built outbound TCP connection 11045875 for WAN:131.247.19.33/80 (131.247.19.33/80) to LAN:192.168.1.36/5127 (74.203.134.30/51059) |
6 | Sep 10 2010 | 14:34:24 | 305011 | 192.168.1.36 | 5127 | 74.203.134.30 | 51059 | Built dynamic TCP translation from LAN:192.168.1.36/5127 to WAN:74.203.134.30/51059 |
Trend Micro InterScan for Cisco CSC SSM 6.3.1172.3
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)
Compiled on Tue 05-May-09 22:45 by builders
System image file is "disk0:/asa821-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 53 days 2 hours
Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
09-10-2010 12:01 PM
Hi Robert,
What version of CSC software are you running. I would suggest an upgrade to 6.3.1172.3 to make sure you have all of the latest bug fixes.
Hope that helps.
-Mike
09-10-2010 12:03 PM
Trend Micro InterScan for Cisco CSC SSM 6.3.1172.3
its below the Log output all the versions i have of what device.
09-10-2010 07:17 PM
Try to change the DNS server IPs that the CSC is using to something like 4.2.2.2 and see if that helps.
-KS
12-13-2010 05:41 AM
I'v got the same problem with the CSC-SSM module in my Asa 5520.
12-13-2010 07:32 AM
Couple of things i did to stop mine from doing it. well not as often.
Make sure the site your browsing to has a WWW in front of it.
Make Sure the IP of the Module is set in an exclusion zone on you DHCP server so its not handed out. ( i had some cell phones snagging the ip killing the connection to it)
check your DNS servers and add additional forwarders if available.
12-16-2010 05:24 AM
Hi,
I tried everything (ip was already in exclusion zone, DNS has a couple of forwarders) and it still occasionally occurs. Overall I find the CSC-SSM slow, A site (www.trackdog.de) that normally loads within 300ms is taking 4 seconds with only URL filtering on . If I turn on Web Reputation it might take up to 8 seconds . Scanning does not make it better either ...
This is not acceptable, what can be done ?
And the classifications are sometime totally off topic (shop sites with decent home and garden stuff as pornographic is ridiculous )
Kind regards
David
12-16-2010 07:48 AM
mine still does the same, and i found Cisco support to be lacking unless you pay assloads for service... When you already pay assloads for the equipment they should throw some support in with it.
12-16-2010 02:44 PM
mine still does the same, and i found Cisco support to be lacking unless you pay assloads for service... When you already pay assloads for the equipment they should throw some support in with it.
I am not sure what you mean by "Cisco support". If you have a support contract we should be able to work on the problem and fix it if it is due to faulty behavior. Did you actually open a case for the CSC module?
I would suggest capturing packets for a "slow page" or one that doesn't come up. I would try to see if it is introduced due to slow response from the Trend servers or if it related to something else.
PK
12-16-2010 02:40 PM
Hi,
I tried everything (ip was already in exclusion zone, DNS has a couple of forwarders) and it still occasionally occurs. Overall I find the CSC-SSM slow, A site (www.trackdog.de) that normally loads within 300ms is taking 4 seconds with only URL filtering on . If I turn on Web Reputation it might take up to 8 seconds . Scanning does not make it better either ...
This is not acceptable, what can be done ?
And the classifications are sometime totally off topic (shop sites with decent home and garden stuff as pornographic is ridiculous )
Kind regards
David
David,
Keep in mind that with reputation or url filtering services enabled, for every HTTP GET that you make (each page has many) the module needs to go to the server and ask if it is legit or not. So, if your network is slow or oversubscribed, or if you have a lot of traffic going through, then adding a 0.5s of delay for every GET could add up to some delay for the page itself. I haven't looked into the issue itself, it could be related to the CSC being slow itself (make sure your version is up to date and you are not doing Debug level logs on it), but it is something to keep in mind.
As for the classifications, if that is happening it needs to be fixed. Give us examples of pages that are blocked and should not. http://reclassify.url.trendmicro.com/submit-files/onlinequery.asp will give you what the pages are classified as.
PK
12-16-2010 11:38 PM
Hi,
Ok that explains what I see in firebug (see pictures). Lots of DNS waits which are not DNS waits but waits for the CSC server.
Pretty dumb it does not cache the websites URL and only do one server check if it is ok for that page we do not check again ...
Our network is not oversubscribed (we have a 34MB connection, bandwidth usage under 2% at the moment at peaktimes ..). I can make the picture attached at any moment (also at 12 AM , and I can asure you there is no one in the office ...)
That CSC server is pretty lame if you ask me.
It sound to me we have bought the wrong product.
As for reclassify: I have posted a couple of websites, but the ones a reclassified are so obvious not Adult that I do wonder who decides what is what. Or are you just counting reclasifications from users (read competitors that want them to be porn) without checking the website ?
Kind regards
David
12-17-2010 05:32 AM
Hi,
Ok that explains what I see in firebug (see pictures). Lots of DNS waits which are not DNS waits but waits for the CSC server.
Pretty dumb it does not cache the websites URL and only do one server check if it is ok for that page we do not check again ...
Our network is not oversubscribed (we have a 34MB connection, bandwidth usage under 2% at the moment at peaktimes ..). I can make the picture attached at any moment (also at 12 AM , and I can asure you there is no one in the office ...)
That CSC server is pretty lame if you ask me.
It sound to me we have bought the wrong product.
As for reclassify: I have posted a couple of websites, but the ones a reclassified are so obvious not Adult that I do wonder who decides what is what. Or are you just counting reclasifications from users (read competitors that want them to be ****) without checking the website ?
Kind regards
David
Please try to capture a slow page on your module. I see some delays that are more than 1-2s, and these seem a little odd. Maybe it takes time to the server to respond. Where are you located really, sometimes the path to the Trend server can add time. Capture traffic on the ASA using the capture command on the inside and outside interface. See if the module takes time to do the dns lookup before he checks the "page being legit or not" or if it takes time for it to hear back. It is normal to have some delay, but not a more than 2-3-4s of delay per page for most people.
Also check at what level you are logging. Also note that 6.3.1172.4 has introduced http enhancements that speed browsing. So if you are running 6.2.xxx it is worth trying 6.3. The RAM the module is not big enough, that is why it cannot cache many websites.
As for classification, it is done by Trend. It is not based on user classification . The feedback form just sets a flag for them to check the website. There are many heuristics that go into the equation including acticity and traffic seen from the url, reports from various sources, IDS, attacks deployed coming from the website, checks of the website content itself etc. It is more or less what all vendors in the field.
Now, as for it being the right product or not, experience has shown that is suits more small and medium size customers. That is a general statement, but for what the product can do, most users have it working fine. Of course, since its development there have been other newer solutions that have come out also (like Ironport) that could potentially be leveraged to provide this functionality in other efficient ways.
I would be curious if your CSC is acting up, or if it just behaving as expected and I would check captures as suggested in my first paragraph.
Rgs,
PK
12-17-2010 05:38 AM
David,
Would you be willing to open a case with TAC? It would be better in this case as we would have to gather captures and analyze where the delay is and where the CSC is located physically and where the DNS server is located physically and its path out to the internet.
Once you open a TAC case pls. let us know the case number, we can make sure it progresses well on our side.
-KS
01-05-2011 05:47 AM
Hi,
Took me a while to open the TAC case (needed to do that via my normal Cisco support channel)
I have opened a TAC case
SR: 616454465
SUMMARY: Slow webtraffic with activated Plus License features
SEVERITY: 3
STATUS: Cisco Pending
Case owned by Sachin Vaish
Maybewe find something
12-17-2010 06:41 AM
im running the latest firmware on the CSC module. I usually dont have an issue with sites. If they do pop up as service unavilable a refresh will clear the
issue due to high traffic and low bandwidth. We only have a Bonded T1 for VoIP and Internet. 1.25mbps is slow by comparison with the amount of traffic we pump through it.
All that being said im having issues with one site in specific. www.cutr.usf.edu Now at home it works great, cellualr it works great through the ASA it never comes up. It just says service unavilable cannot contact ip ***.***.***.*** . This isnt normal operation. How would i track the lookup (get) of the page? Or how delayed it is? Im not aware of tools for the ASA that can assist in this type of thing. We are not running debug logs either.
Product version: | Trend Micro InterScan for Cisco CSC SSM 6.3.1172.4 |
i even added the cutr website to all the exception lists for scanning. Still nothing.
as far as service. I dont have a contract on this particular ASA so you cant even open a ticket on it. We are a governmental body that has limited funds for service and support. When youre paying over $10K for an appliance its a little hard to chew on a couple extra thousand for support contracts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide