Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
240
Views
0
Helpful
3
Replies

ASA 5525-x with CX - web browsing and other traffic stops being redirected to CX

Fraser010
Level 1
Level 1

‎10-07-2015 11:56 PM - edited ‎03-11-2019 11:42 PM

Hi All,

 

We have a ASA 5525-x with the CX module which ahs been in operation for a year now with Access, Identity and Decryption policies set up and its been working perfectly. We redirect all traffic from the ASA to the CX in our policy. Since yesterday, 7 Oct 2015, internet browsing stopped working all together. After some investigations we noticed that there is no traffic going through the CX at all. We disabled the redirection from the ASA to the CX and everything started working again. As soon as we enable the redirection internal to external traffic stops but external connections such as VPN carries on working. When we use Packet tracer on the ASA for outbound traffic everything completes successfully but actual traffic does not go through. We upgraded the CX software this morning from 9.3.2.1(9) to 9.3.4.2 (11) with the hope that it would fix the problem but it didn't. Looking at the change history the last change to the system was on 2 Oct. The only think that we can see which occurred anywhere close to the time that the issues started was an update to the Web Reputation IPv4 Data and a few minutes after that it said the "Module Event Server is starting up" even though no one restarted the ASA or CX.

 

Any suggestions will be appreciated.

 

Thanks

Labels:
0 Helpful
3 Replies 3

Rishabh Seth
Level 7
Level 7

‎10-08-2015 12:19 AM

Hi,

 

You can check the event logs on the CX and try to find the reason for drop of traffic.

As you have mentioned there was a WebRep update then probably the reputation has changed in the newer updates and your traffic is getting blocked.

If the reason for drop is seen as poor WebRep and you find the website trustworthy then you can report the issue on senderbase.org. Also you can create custom policy to fine tune the permitted WebRep for a particular FQDN.

Senderbase link: http://www.senderbase.org/support/

 

Do share your findings.


Hope it helps!!!

Thanks,

R.Seth

Don't forget to mark the answer as correct if it helps in resolving your query!!!

 

0 Helpful

Fraser010
Level 1
Level 1
In response to Rishabh Seth

‎10-08-2015 02:17 AM

Hi Rishabh,

 

That is the strange thing. A while after the update we realized that there was "No Information" on the dashboard and restarted the whole ASA. The event log doesn't even show that any policies are being hit when we redirect traffic to the CX. For instance if we do not redirect traffic we can do DNS lookups as soon as we redirect traffic the DNS lookups time out but on the CX it looks like there is no traffic going to it whatsoever.

 

Marius

0 Helpful

Rishabh Seth
Level 7
Level 7
In response to Fraser010

‎10-08-2015 02:24 AM

Hi Marius,

 

Can you check the status of the CX module by using command show module cx details.

Also if possible try logging into the cx console by command " session console cx" and try 

stop and start of CX services : "services stop" and then "services start".

If this does not help then open a TAC case and troubleshoot the issue with TAC engineer as your CX might be hitting some other issue.

 

Thanks,

R.Seth

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card