cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2014
Views
0
Helpful
4
Replies

Webex issues consistent through ASA firewalls

aleksa
Level 1
Level 1

 Hi all,

I got a client and they use Webex stations and Webex apps on PC-s.

They got fibre service, yet performance is poor most of the time.

Read an article about allowing outbound UDP 9000 through the firewall, but implicit policies are in place, so all traffic allowed from inside to the outside.

Other apps like Skype and TeamViewer, have no issues on the same PC-s and network. All hosts hardwired (no WiFi in use)

 

I'm getting confused as to what could be the issue, especially that I can't see UDP 9000 used on the PC (in netstat -an command),

however, there is session on each site ASA using both UDP 9000 and TCP 443, both sessions incrementing packets...

Wonder if anyone had similar experience?

I'll have to digest the configuration, I'll paste it later, but for now,

Here are the sessions from two different branches:

ASA5516X-FW01/act# sh conn | inc 10.7.10.87
...
TCP OUTSIDE 188.172.208.138:5938 INSIDE 10.7.10.87:49462, idle 0:00:20, bytes 191513, flags UxIOX
UDP OUTSIDE 114.29.192.95:9000 INSIDE 10.7.10.87:60573, idle 0:00:00, bytes 9849856, flags X
UDP OUTSIDE 114.29.192.95:9000 INSIDE 10.7.10.87:64336, idle 0:00:00, bytes 201397360 , flags X
TCP OUTSIDE 114.29.192.95:443 INSIDE 10.7.10.87:51560, idle 0:00:00, bytes 672621, fl ags UxIO

 

B-ASA5516X-FW01/act# sh conn | inc 10.2.1.249
...
UDP OUTSIDE 114.29.192.95:9000 INSIDE 10.2.1.249:61169, idle 0:00:00, bytes 1802320, flags X
UDP OUTSIDE 114.29.192.95:9000 INSIDE 10.2.1.249:51851, idle 0:00:00, bytes 324618730, flags X
TCP OUTSIDE 114.29.192.95:443 INSIDE 10.2.1.249:53553, idle 0:00:02, bytes 1107153, flags UxIO

 

 

4 Replies 4

aleksa
Level 1
Level 1

And here is the relevant config...

Please let me know of any thoughts?

Sorry, my bad, wrong file.

Here is the config file attached.

Peter Koltl
Level 7
Level 7

Flag X indicates that the flow is handled by Firepower module so you should check it. If no clues, try excluding this port from the service module inspection ACL.

Thanks Peter,

 

I've excluded Webex traffic from FirePower inspection, yet the problems remained.

I did packet-trace command on typical Webex connection and confirmed it wasn't sent to IPS policy for inspection...

Any more ideas? Do you think there's much difference in using implicit allow (for traffic initiated from higher security level to lower) and explicitly defining Webex traffic (Network Objects - Webex URL-s and public IP-s, as well as UDP/TCP ports)?

 

Thanks,

Alex

 

Review Cisco Networking for a $25 gift card