Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1600
Views
20
Helpful
11
Replies

ACL problem for UDP 443

saleh.alsalamah
Level 1
Level 1

‎03-20-2019 02:13 PM

Hi community team,

 

 

I have Applied  Create a route-map to forward HTTP/HTTPS traffic to Proxy but still, there is some traffic not belong to HTTP/HTTPS is actually been forwarded to the Proxy server, would you please advise me with the solution? 

 

In the attached the packed Captured file you can find dest mac address (f4:15:63:7e:b6:60) which is linked with IP:10.1.80.240 ( Proxy IP ) 

 

 

 

 

PID: WS-C6509-E

Software version: Version 15.5(1)SY

Labels:
new 22222222_001.zip
1 KB
0 Helpful
11 Replies 11

Jaderson Pessoa
VIP Alumni
VIP Alumni

‎03-20-2019 03:30 PM - edited ‎03-20-2019 03:33 PM

Hello,

 

PORT 443 IS USED FOR SSL, IT IS TCP, NOT UDP.

Does your proxy are using port 443?
by default port proxy is 3128/3129.
Does your clients are using it by WPAD or configured Manually?

Jaderson Pessoa
*** Rate All Helpful Responses ***

saleh.alsalamah
Level 1
Level 1
In response to Jaderson Pessoa

‎03-22-2019 11:16 AM

Thanks for your reply 

 

We are using a transparent Proxy and our client not using WPAD. 

Our clients not used any configuration in their proxy setting, the Core switch redirected HTTP/HTTPS traffic to Proxy :)

 

The private IPs ( 10.0.0.0.8/8, 192.168.0.0/24, 172.16.0.0 ) are not redirected to Proxy because is located in our environment.

 

 

 

 

 

 

0 Helpful

Jaderson Pessoa
VIP Alumni
VIP Alumni

‎03-20-2019 03:35 PM - edited ‎03-20-2019 03:37 PM

@saleh.alsalamah  Hello,

 

i edited your acl.

 

ip access-list extended LAN
deny tcp any host 46.49.134.149 eq www  << (wont redirect http traffic to proxy)
deny tcp any host 46.49.134.149 eq 443     << (wont redirect https traffic to proxy)
deny tcp any 10.0.0.0 0.255.255.255 eq www  << (wont redirect http traffic to proxy)
deny tcp any 10.0.0.0 0.255.255.255 eq 443  <<  (wont redirect https traffic to proxy)
deny tcp any 192.168.0.0 0.0.255.255 eq www <<  (wont redirect http traffic to proxy)
deny tcp any 192.168.0.0 0.0.255.255 eq 443  <<  (wont redirect https traffic to proxy)
deny tcp any 172.16.0.0 0.15.255.255 eq www   <<  (wont redirect http traffic to proxy)
deny tcp any 172.16.0.0 0.15.255.255 eq 443 <<  (wont redirect https traffic to proxy)
permit tcp any any eq 443  <<  (will redirect http/https traffic to proxy)
permit tcp any any eq www <<  (will redirect http traffic to proxy)

!
route-map Proxy permit 1
match ip address LAN
set ip next-hop 10.1.80.240

Jaderson Pessoa
*** Rate All Helpful Responses ***

saleh.alsalamah
Level 1
Level 1
In response to Jaderson Pessoa

‎03-22-2019 10:51 AM

Thanks for your answer, I applied your ACL and had another problem with UDP 443 not been redirected to Proxy as you find in the attached file

Cisco Cum1_001.zip
0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni

‎03-20-2019 08:26 PM

Hi,

the Wireshark capture which you shared with us doesn't have full details. I can see the only some UDP fragmented packets as you allowed the UDP port 80 and UDP 443. 

The packet capture does not have a source or destination port details in the packet so it is very hard to tell you what your issue. As per ACL, there is only UDP & TCP port 80 and 443 are allowed. If possible share another capture.

 

One more point to notice that Google is using UDP port 443 for the https connection (when you will browse any google website in the Chrome Browser).

 

Regards,

Deepak Kumar

 

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

saleh.alsalamah
Level 1
Level 1
In response to Deepak Kumar

‎03-22-2019 11:00 AM

I have attached another capture file for PAPI traffic, PAPI is the protocol used by ArubaNetworks for manage Access Point, PAPI uses UDP as its transport protocol. The well known UDP port for PAPI traffic is 8211.

 

We have noticed many APs went down because of this issue :( 


 

 

TO ayman_001.zip
0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni
In response to saleh.alsalamah

‎03-22-2019 11:35 PM

Hi,

Can you share a network diagram and complete configuration of this router?

 

Regards,
Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

saleh.alsalamah
Level 1
Level 1
In response to Deepak Kumar

‎03-24-2019 05:22 AM

Attached the diagram and configuration file 

 

Desktop.zip
0 Helpful

Jaderson Pessoa
VIP Alumni
VIP Alumni
In response to saleh.alsalamah

‎03-24-2019 06:31 AM - edited ‎03-24-2019 06:31 AM

Hello @saleh.alsalamah 

 

I cheked your configuration and your policy was applied only on port-channels and vlans.

There are other topic talking about the possible problem doing it.

Check here: https://community.cisco.com/t5/switching/service-policy-on-port-channel/td-p/2929746

 

I suggest to you apply your ip policy on pyshical interfaces either.

 

Jaderson Pessoa
*** Rate All Helpful Responses ***

saleh.alsalamah
Level 1
Level 1
In response to Jaderson Pessoa

‎03-27-2019 02:51 AM

I applied the rule on the physical interface but still issue not resolved.

0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni
In response to saleh.alsalamah

‎03-27-2019 04:39 AM

Hi,

Make below changes:

 

ip access-list extended LAN-Test

permit ip any 10.20.0.0 0.0.255.255

!

route-map Proxy permit 20
match ip address LAN-Test

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card