Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1458
Views
10
Helpful
3
Replies

Connections to web sites using typekit timing out behind FTD

MauryJ
Level 1
Level 1

‎06-28-2022 08:17 AM

We noticed a strange phenomenon with at least two sites, both of which are using Adobe fonts (typenet.net), when accessed from behind our ASA with FTD.

 

Looking at the developer tools console in chrome, I can see that while the page is loading, the browser sits and eventually times out waiting for a response while trying to load a font from p.typekit.net, and we see this from both Windows and Mac clients on our internal network.   The actual requested URL in one case is:   

 

https://p.typekit.net/p.css?s=1&k=oci4iyo&ht=tk&f=15779.15782&a=86990265&app=typekit&e=css

 

When analyzing the connection event logs in FMC, I am not seeing any relevant connections from the clients getting blocked, when loading these sites.   Outside of our network, the issue does not come up.   The client's we're seeing this from have access to http and https in our ACLs and aren't going through a proxy.    Has anyone else run up against this?

 

Versions:

FTD 6.7.0.3

Snort 2.9.17 (Build 3014)
Rule Update 2022-06-16-001

Thanks

 

0 Helpful
3 Replies 3

Mohammed al Baqari
Level 11
Level 11

‎06-28-2022 06:49 PM

Hi,

Just to ensure that you have logging setup correctly, configure a
rule which matches specific client source IP at the top and enable logging
on it. Then look for connection events to see if there are matches.

**** please remember to rate useful posts

jmatysek
Level 1
Level 1

‎09-02-2022 11:58 AM

Hi Maury,

Just ran into something similar, and what I found was that my 2120 was associating the URL https://p.typekit.net with a web application called Burnbook (an anonymous messaging app) which Cisco classifies as a Very High Risk application and was blocking it per a rule to block Very High Risk applications. I discovered this by viewing Connection Events filtered for my workstation IP while trying to load the website in question. I tried whitelisting the typekit URL with no effect. However whitelisting this Burnbook app did the trick. Not sure how/why Adobe's hosted web font service got linked with this Burnbook app by Cisco in their VDB.

Hope that helps,
John

nick_t
Level 1
Level 1

‎12-09-2022 10:08 AM

I have the same experience. Web pages were taking 30+ Seconds to load. Using Dev Tools in the browser confirmed a use.typekit.net file was failing to load. But only behind our FTD's/FMC not on personal / offsite machines.

Looked at the logs, scanned the url/file with Talos, all came back fine. FMC Events shows BurnBook application as well.

I guess i'm going to whitelist BurnBook. Bummer. Is there a method to notify Talos of this mis-assignment?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card