ASA and websense Issue

hxmengmetro · ‎11-01-2010

Hi All,

We have ASA 5510 (8.03) configured with url server Websense (7.5). Sometime we got URL server is not responding error. The error happened more especially when more people are trying to browse internet. We are using TCP connection between ASA and Websense. Below is our configuration:

url-server (inside) vendor websense host websense_ip timeout 30 protocol TCP version 4 connections 8

url-block url-mempool 1500
url-block url-size 4

I'm wondering is there any limit about how many TCP connections we can make from ASA to websense. My packet capture shows lots of FIN packets from ASA to websense also inverse direction. It seems like ASA is trying to close the TCP connections. This doesn't happen when everything is in normal status. Is there anyone who has similar issue before? Can I just increase the "connection number" in the url-server command?

Thanks.

Lou

Panos Kampanakis · ‎11-01-2010

If your log says that websense is not responding I would not focus on the ASA, but on websense. When the problem is happening you probably lose websensee. There might be a chance where you run out of blocks for websense on the ASA. I would suggest tracking down "sh blocks" also.

There is no conn limit on the ASA as long as there are resources available. You can increase the mem-pool and cache zise but I don't think that is going to change anything.

Let us know what logs you are exactly getting when you see the log.

I hope it points to the right direction,

PK

hxmengmetro · ‎11-01-2010

Thanks PR for helping me here. When we saw "URL server is not responding" log in ASA, we tried verifying the websense status in the server. The process is up and the listening port is available. It seems nothing wrong there.

As for blocks, when I configure the url block in ASA, we can see the below statistics. It is really ugly. Packets dropped due to exceeding url-block buffer limit is really high. That number is increasing but not always happen at the same tiem when we get "URL server not responding" log.

URL Pending Packet Buffer Stats with max block 128
-----------------------------------------------------
Cumulative number of packets held:              13364
Maximum number of packets held (per URL):       8
Current number of packets held (global):                0
Packets dropped due to
       exceeding url-block buffer limit:        2720
       HTTP server retransmission:              3933
Number of packets released back to client:      12079

"show block" has the result as below:

SIZE    MAX    LOW    CNT
     0    100     99    100
     4    328    327    327
    80   1000    975   1000
   256   1412   1353   1412
1550 10147   8340   8603
2048   2475   2456   2475
2560    716    716    716
4096    100    100    100
8192    100    100    100
16384    230    230    230
65536     16     16     16

Thanks for the help.

Lou

Panos Kampanakis · ‎11-01-2010

The url buffer exceed doesn't mean we should be losing websense.

If blocks were depleted that could explain the log, but your blocks look fine.

Can you verify that you don't really lose websense, TCP connection loss? For example can you start a capture with buffer wrapping for traffic between ASA and websense only and see if when you get the log, you have packet loss between them?

PK

hxmengmetro · ‎11-01-2010

When the URL not responding log pops up, I can still ping the websense and also telnet to the listening port. The real issue is when this log message occur, I saw lots of request got dropped when you show url-server statistics. So the ASA does drop the client's web request when this issue occurs. I have captured the packet in ASA when the issue happened. The difference between normal and the one when the issue happend is lots of FIN packets happened around the time when the URL not responding logs occured.

I don't understand why ASA was trying to close the TCP connections. The situation is like ASA closed the TCP connections to websense and then dropped the client's web requests.

Lou