cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3744
Views
6
Helpful
12
Replies

Problem with Service Policy not applied on traffic...

itr05Eurofins
Level 1
Level 1

Hi.

We have a quite new setup with ASA 5545-X and using it for WAN-firewalling to protect our Datacenter from the rest of our organization.
We have had trouble with specific Oracle-traffic from one site that gets broken down after 1 hour of idle time in the client-application.
What I would like to do is to raise the Timeout-value to 8 hours for traffic to that specific Oracle host from the problematic site.

The Orcale host has this "fake" IP 192.168.101.100 (Destination_Host)
And the site with problem has this "fake" IP-network: 192.168.102.0/24 (Source_Network)

The source and destination are on different interfaces.

Could anyone advice me what's wrong in this configuration?
Because when I run a Packet Trace in ASDM it doesn't show any trace of hitting this specific Class (Specific_Host_Traffic) and corresponding Class-Map. The config is made from ASDM.

Thanks!
/Gustaf


object network Source_Network
subnet 192.168.102.0 255.255.255.0
object network Destination_Host
host 192.168.101.100

<multiple access-lists>

access-list global_mpc extended permit ip object Source_Network object Destination_Host

class-map inspection-default
class-map Specific_Host_Traffic
match access-list global_mpc
class-map inspection_default
match default-inspection-traffic
class-map netflow
match any
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global-policy
policy-map global_policy
class Specific_Host_Traffic
set connection timeout idle 8:00:00
class inspection_default
inspect dcerpc
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
class class-default
set connection decrement-ttl
!
service-policy global_policy global

      

Message was edited by: Morten Sandholdt

1 Accepted Solution

Accepted Solutions

Ok, it just looks like it is not matching the class-map we created for it.

Try this:

Let's remove the policy-map and apply it again.

no service-policy global_policy global

  service-policy global_policy global

Then, let's clear all the connections going to "192.168.101.100".

"Clear local 192.168.101.100"

That should do it.

View solution in original post

12 Replies 12

jocamare
Level 4
Level 4

Can you try to create a specific Access-list only for this traffic? Get it out of the "global_mpc" group.

Do a "show local X.X.X.X" where X.X.X.X is the internal IP of the host from the internal network and confirm that t is connecting to 192.168.101.100.

How do you mean with " try to create a specific Access-list only for this traffic? Get it out of the "global_mpc" group"?

I did it through ASDM so I'm not a master in CLI.

I did see the traffic being built and also getting torn down in the Logs. So I'm convinced it's the correct addresses.

Any other ideas?

/Gustaf

I mean that we can create a unique set of Access-lists just for the traffic we want to match.

[first and only rule]

access-list IDLE-T extended permit ip object Source_Network object Destination_Host

class-map Specific_Host_Traffic

match access-list IDLE-T

policy-map global_policy

class Specific_Host_Traffic

set connection timeout idle 8:00:00

Can you still share the output of the "show local X.X.X.X details" command? It can be used to confirm the values we are configuring.

Hi again.

Just wanted to inform that we don't have any other rules/ACLs/ACEs for global_mpc.

We haven't used it before so it's just that rule above. Nothing more.

/Gustaf

Hi. Thanks for the replies.

Havn't had the possibility to change the ACL yet. Will do tonight.

Here is an output from show local with the current config:

Result of the command: "show local 192.168.102.7 detail"

Interface WAN-MPLS-Links: 1962 active, 3253 maximum active, 0 denied
local host: <192.168.102.7>,
    TCP flow count/limit = 13/unlimited
    TCP embryonic count to host = 0
    TCP intercept watermark = unlimited
    UDP flow count/limit = 1/unlimited

  Conn:
    TCP WAN-MPLS-Links: 192.168.102.7/63799 WAN-L2-R5-Links: 192.168.101.100/1526,
        flags UIOB , idle 25m20s, uptime 25m21s, timeout 1h0m, bytes 4452

    TCP WAN-MPLS-Links: 192.168.102.7/63795 WAN-L2-R5-Links: 192.168.101.100/1526,
        flags UIOB , idle 3m14s, uptime 25m38s, timeout 1h0m, bytes 367567

One more thing,

Mind posting the output of the "show service-policy" command from the unit?

The configuration as it is should work and the output of the "show local" command should be showing 8 hrs instead of 1.

Hi.

Here is the output from "show service-policy":

Result of the command: "sh service-policy"

Global policy:
  Service-policy: global_policy
    Class-map: Oracle-DK09
      Set connection policy:         drop 0
      Set connection timeout policy:
        idle 8:00:00
        DCD: disabled, retry-interval 0:00:15, max-retries 5
        DCD: client-probe 0, server-probe 0, conn-expiration 0
    Class-map: inspection_default
      Inspect: dcerpc, packet 8557686, lock fail 0, drop 1511, reset-drop 0, v6-fail-close 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: ftp, packet 385738, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
      Inspect: h323 h225 _default_h323_map, packet 4, lock fail 0, drop 0, reset-drop 1, v6-fail-close 0
               tcp-proxy: bytes in buffer 0, bytes dropped 133
      Inspect: h323 ras _default_h323_map, packet 3, lock fail 0, drop 3, reset-drop 0, v6-fail-close 0
      Inspect: ip-options _default_ip_options_map, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
      Inspect: rsh, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
      Inspect: rtsp, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: sip , packet 884, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: skinny , packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: sqlnet, packet 20344251, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
      Inspect: sunrpc, packet 166, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: tftp, packet 1020838, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
      Inspect: xdmcp, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
    Class-map: class-default

      Default Queueing      Set connection policy:         drop 0
      Set connection decrement-ttl

/Gustaf

Ok, it just looks like it is not matching the class-map we created for it.

Try this:

Let's remove the policy-map and apply it again.

no service-policy global_policy global

  service-policy global_policy global

Then, let's clear all the connections going to "192.168.101.100".

"Clear local 192.168.101.100"

That should do it.

Hi again.

Ok, I will test that. So if I run

no service-policy global_policy global

there is no risk that the configurations regarding the service-policys gets removed?

I run version 9.1.1.

Just want's to be sure.

/Gustaf

The configurations will remain, they will just won't be applied to the traffic while the command is off.

Won't cause any problems, it might actually fix'em.

Hi jocamare!

Big Thanks!

After

no service-policy global_policy global

service-policy global_policy global

Clear local 192.168.101.100

It Works!

julomban
Level 3
Level 3

Morten,

Can you do a second ACL in teh opposite way?

access-list global_mpc extended permit ip object Destination_Host object Source_Network

If possible, please also share the logs.

Regards,

Juan Lombana

Please rate helpful posts.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: