04-26-2024 05:04 AM
Hi there,
I have two ASA's that need to respond to Azure traffic manager probes, basically the outside interface IP's are a DNS lookup in traffic manager, however the ASA's drop the http probes from ATM. We cannot find anything in the service policy that references HTTP/S and we have not changed the default policy. Any one any ideas please? Sometimes the ASA responds to the first probe and ATM shoes the endpoint as healthy then is drops them, cannot see anything about HTTP rate limits or anything referencing the Outside interface dropping packets.
04-26-2024 05:59 AM
ciscoasa# show threat-detection statistics top tcp-intercept
Ascertain ASA Threat Detection Functionality and Configuration - Cisco
if the ASA allow the connection then I think the threat-detection is drop http, try exclude the IP from it and check
MHM
04-26-2024 08:50 AM - edited 04-26-2024 10:11 AM
@mmjcollett, do you mean that Azure sends HTTPS probe to the ASA outside interface IP address and ASA needs to respond? What kind of response does it expect and do you know how requested URL look like? Are you sure that request reaches ASA (capture tool can help you)?
Neither Threat Detection, nor TCP Intercept process to-the-box packets as mentioned in the limitations section of the document provided by @MHM Cisco World , so not sure why he/she thinks that Threat Detection or TCP Intercept is the culprit. Perhaps didn't read it.
ASA has built-in limitation of 100 embryonic to-the-box connections, although it is hard to believe you are hitting this limit. Still, check "show conn all proto tcp addr <ASA IP> port 443". But even if the limit is reached, it only activates SYN cookies on the box, ASA still responds with SYN/ACK and accepts ACK from the client if it arrives. So, this feature and regular TCP Intercept as well should never drop incoming requests. They are here to only protect from clients which do IP spoofing.
04-26-2024 08:55 AM
Forgot to mention: does ASA have "webvpn" / "enable outside" configured to respond to probes?
Also, the mentioned limit is activated on interfaces with WebVPN enabled (i.e. if firewall listens on port TCP/443).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide