cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
477
Views
2
Helpful
3
Replies

ASA dropping Azure Traffic manager http health probes

mmjcollett
Level 1
Level 1

Hi there,

I have two ASA's that need to respond to Azure traffic manager probes, basically the outside interface IP's are a DNS lookup in traffic manager, however the ASA's drop the http probes from ATM. We cannot find anything in the service policy that references HTTP/S and we have not changed the default policy. Any one any ideas please? Sometimes the ASA responds to the first probe and ATM shoes the endpoint as healthy then is drops them, cannot see anything about HTTP rate limits or anything referencing the Outside interface dropping packets. 

3 Replies 3

ciscoasa# show threat-detection statistics top tcp-intercept

 Ascertain ASA Threat Detection Functionality and Configuration - Cisco

if the ASA allow the connection then I think the threat-detection is drop http, try exclude the IP from it and check

MHM

@mmjcollett, do you mean that Azure sends HTTPS probe to the ASA outside interface IP address and ASA needs to respond? What kind of response does it expect and do you know how requested URL look like? Are you sure that request reaches ASA (capture tool can help you)?

Neither Threat Detection, nor TCP Intercept process to-the-box packets as mentioned in the limitations section of the document provided by @MHM Cisco World , so not sure why he/she thinks that Threat Detection or TCP Intercept is the culprit. Perhaps didn't read it.

ASA has built-in limitation of 100 embryonic to-the-box connections, although it is hard to believe you are hitting this limit. Still, check "show conn all proto tcp addr <ASA IP> port 443". But even if the limit is reached, it only activates SYN cookies on the box, ASA still responds with SYN/ACK and accepts ACK from the client if it arrives. So, this feature and regular TCP Intercept as well should never drop incoming requests. They are here to only protect from clients which do IP spoofing.

 

 

Forgot to mention: does ASA have "webvpn" / "enable outside" configured to respond to probes?

Also, the mentioned limit is activated on interfaces with WebVPN enabled (i.e. if firewall listens on port TCP/443).

 

Review Cisco Networking for a $25 gift card