Re: Trend Micro CSC Module Itunes download issues

paul.harvey · ‎05-21-2010

Hi,

Have quite an annoying problem and have not had any joy getting any solution from the vendors involved, Apple, Trend Micro, etc.

Problem:

Cisco ASA5520 with CSC10 Module. Base Licence. IOS and Updates All Up to date

Fairly Standard configuration NAT, VPN, Webmail, SMTP etc.

MD with Windows XP; wants to download from Apple Itunes to Ipod.

Unable to connect to Store and Timeout when trying to download from Itunes Store and Updates.

Logs from ASA as below;

No Logs from CSC Module relating to this problem.

302013 81.23.243.136 80 192.168.250.2 2641 Built outbound TCP connection 5018 for OUTSIDE:81.23.243.136/80 (81.23.243.136/80) to INSIDE:192.168.250.2/2641 (xxx.xxx.xxx.xxx/6725)
305011 192.168.250.2 2641 xxx.xxx.xxx.xxx 6725 Built dynamic TCP translation from INSIDE:192.168.250.2/2641 to OUTSIDE:xxx.xxx.xxx.xxx/6725
304001 192.168.250.2 Accessed URL 81.23.243.136:/eu/r1000/047/Music/60/32/34/mzi.ywqawhpe.aac.a.m4p

305012 192.168.250.2 2641 xxx.xxx.xxx.xxx 6725 Teardown dynamic TCP translation from INSIDE:192.168.250.2/2641 to OUTSIDE:xxx.xxx.xxx.xxx/6725 duration 0:00:30

106015 81.23.243.136 80 xxx.xxx.xxx.xxx 6725 Deny TCP (no connection) from 81.23.243.136/80 to xxx.xxx.xxx.xxx/6725 flags ACK on interface OUTSIDE

302014 81.23.243.136 80 192.168.250.2 2641 Teardown TCP connection 5018 for OUTSIDE:81.23.243.136/80 to INSIDE:192.168.250.2/2641 duration 0:00:29 bytes 366 TCP Reset-I

Tried on different network with ASA5520 and AIP10 no issues.

Identified that the issue is being caused by either the setup of the Trend Micro Scanning Engine or the CSC Module, as have tested by removing the CSC module, and by bypassing scanning, and then the Itunes downloads work without problem.

Found one solution which recommended using Access-Lists to bypass scanning by the CSC Module for specified IP Addresses, this worked temporarily but as you can guess APPLE use myriads of Servers to serve their content, so difficult to track and except all their IP addresses.

In my opinion there must be a bug or some issue with the scanning engine that is causing the TCP Reset-I

There are no URL or FILE Filtering/Blocking setup within the Trend Micro CSC scanning engine, just http scanning.

Any suggestions would be great.

Marcin Latosiewicz · ‎05-21-2010

Paul,

I see HTTP inspection is on on this ASA. Maybe some strange interacion between HTTP inspection and CSC?

What is the verion of ASA and CSC?

Panos Kampanakis · ‎05-21-2010

Paul,

Also make sure HTTP Deferred scanning is enabled.

Do you see any HTTP Scanning logs in the CSC when you query them that say if and why iTunes traffic was dropped?

PK

paul.harvey · ‎01-07-2011

Yes it appears that deferred scanning is the cause of the issue.

The problem became clearer after a complete reset and configuration of the ASA and CSC.

Prior to the reset, only certain downloads from apple itunes were being affected....... could download other files no problem... very strange.

Had initially believed that because we had enabled the Plus Licence evaluation and tested its features, but then did not renew the plus licence and continued with the base licence that some hidden/old code in the trend micro csc may be causing the issue.

But after the reset to factory defaults of the csc module and the asa, a rebuild of the configuration with latest software/updates etc a new problem occured which led to the fix.

After the rebuild, downloads from ANY site above 10mb would time out, something that did not happen before, thus leading to the deferred scanning configuration.

I guess the fact that certain downloads work prior to the fix, this threw us a curve and led us away from believing that the deferred scanning (not enabled by default) would have any relation to the issue.