cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
569
Views
0
Helpful
3
Replies

Application through PIX 7.2(2)on https 443 causing problem

swapnendum
Level 1
Level 1

We have a tomcat application hosted in DMZ zone. There is a Static NAT on PIX for access from outside. This application behaves intermittently when hosted on 443 port.Users get Page can't be displayed in iexplorer intermittently.

The same application works fine when the port is changed to 8443 on the server and the related ACLs are updated on PIX.

We tried various tests and till now it seems PIX is the culprit.

We removed the PIX and hosted the server directly on a public IP and executed the application on port 443 and it worked fine.

is there any reason why 443 would cause problems and 8443 would not? any of you faced a similar issue ?

Also to add up, we have an interesting capture report on the PIX.

Test1:

The tomcat application was configured to run on https 8443 port. We did a telnet from internet on this IP on port 8443.

output:

1: 12:21:12.244906 CLIENT-PUBLICIP.1857 > SERVER-PUBLICIP.8443: S 754833610:754833610(0) win 8192 <mss 1260,nop,nop,sackOK>

2: 12:21:12.245882 SERVER-PUBLICIP.8443 > CLIENT-PUBLICIP.1857: S 2177616046:2177616046(0) ack 754833611 win 16384 <mss 1380,nop,nop,sackOK>

3: 12:21:12.402948 CLIENT-PUBLICIP.1857 > SERVER-PUBLICIP.8443: . ack 2177616047 win 8820

4: 12:21:13.368724 CLIENT-PUBLICIP.1857 > SERVER-PUBLICIP.8443: P 754833611:754833613(2) ack 2177616047 win 8820

5: 12:21:13.480993 SERVER-PUBLICIP.8443 > CLIENT-PUBLICIP.1857: . ack 754833613 win 65533

This output is normal and as expected.

-------------------------------------------------

Test2:

The tomcat application was configured to run on https 8443 port. No application is listening on 443.We did a telnet from internet on this IP on port 443.

output:

Connected , not listening

TCP - 443

3: 11:57:39.153281 CLIENT-PUBLICIP.5434 > SERVER-PUBLICIP.443: S 48864479:48864479(0) win 16384 <mss 1260,nop,nop,sackOK>

4: 11:57:39.154212 SERVER-PUBLICIP.443 > CLIENT-PUBLICIP.5434 : R 545423695:545423695(0) ack 48864480 win 0

5: 11:57:39.163184 CLIENT-PUBLICIP.5434 > SERVER-PUBLICIP.443: . ack 2702877882 win 17640

6: 11:57:39.172491 CLIENT-PUBLICIP.5434 > SERVER-PUBLICIP.443: . ack 2702877883 win 17640

7: 11:57:39.172873 CLIENT-PUBLICIP.5434 > SERVER-PUBLICIP.443: F 48864480:48864480(0) ack 2702877883 win 17640

Result: Telnet was able to connect on 443 although no application is listening on this port.

The same test was repeated again. Test3 below shows the output.

---------------------------------------------------------

Test3:

Output------

Not Connected , not listening port

TCP 443

XXX# sh cap CAP

6 packets captured

1: 12:21:36.539721 CLIENT-PUBLICIP.1858 > SERVER-PUBLICIP.443: S 2516753572:2516753572(0) win 8192 <mss 1260,nop,nop,sackOK>

2: 12:21:36.540621 SERVER-PUBLICIP.443 > CLIENT-PUBLICIP.1858: R 213065708:213065708(0) ack 2516753573 win 0

3: 12:21:37.104517 CLIENT-PUBLICIP.1858 > SERVER-PUBLICIP.443: S 2516753572:2516753572(0) win 8192 <mss 1260,nop,nop,sackOK>

4: 12:21:37.105341 SERVER-PUBLICIP.443 > CLIENT-PUBLICIP.1858: R 1440753226:1440753226(0) ack 2516753573 win 0

5: 12:21:37.761099 CLIENT-PUBLICIP.1858 > SERVER-PUBLICIP.443: S 2516753572:2516753572(0) win 8192 <mss 1260,nop,nop,sackOK>

6: 12:21:37.761908 SERVER-PUBLICIP.443 > CLIENT-PUBLICIP.1858: R 849891032:849891032(0) ack 2516753573 win 0

Result: This time telnet didnt connect. The output of Test2 and Test 3 varies randomly as stated above. Some times telnet connects to port 443 and sometimes it doesnt connect on 443. AND there is no application listening on 443 when we perform these tests.

Wht would cause this behavior on PIX? TCP interception has do anything ?

3 Replies 3

cpembleton
Level 4
Level 4

Are you doing any inspection on port 443? This would cause to work on 8443 and not 443.

Show run policy-map

Thanks,

Chad

nopes no inspection for 443 is configured. Infact, i tried doing it but PIX doesnt supoort inspection of https traffic. I can associate 443 with http traffic and do inspection but it wont make sense.

Settings on the PIX for 8443 and 443 is exactly same.

Correct, just wanted to make sure you did not have anything configured.

Instead of doing a cap can you do some debugging. This will tell you what the ASA is doing. Debugging is a high priority so make sure you do it when it will have the least impact.

Thanks,

Chad

Review Cisco Networking for a $25 gift card