03-20-2019 02:13 PM
Hi community team,
I have Applied Create a route-map to forward HTTP/HTTPS traffic to Proxy but still, there is some traffic not belong to HTTP/HTTPS is actually been forwarded to the Proxy server, would you please advise me with the solution?
In the attached the packed Captured file you can find dest mac address (f4:15:63:7e:b6:60) which is linked with IP:10.1.80.240 ( Proxy IP )
PID: WS-C6509-E
Software version: Version 15.5(1)SY
03-20-2019 03:30 PM - edited 03-20-2019 03:33 PM
Hello,
PORT 443 IS USED FOR SSL, IT IS TCP, NOT UDP.
Does your proxy are using port 443?
by default port proxy is 3128/3129.
Does your clients are using it by WPAD or configured Manually?
03-22-2019 11:16 AM
Thanks for your reply
We are using a transparent Proxy and our client not using WPAD.
Our clients not used any configuration in their proxy setting, the Core switch redirected HTTP/HTTPS traffic to Proxy :)
The private IPs ( 10.0.0.0.8/8, 192.168.0.0/24, 172.16.0.0 ) are not redirected to Proxy because is located in our environment.
03-20-2019 03:35 PM - edited 03-20-2019 03:37 PM
@saleh.alsalamah Hello,
i edited your acl.
ip access-list extended LAN
deny tcp any host 46.49.134.149 eq www << (wont redirect http traffic to proxy)
deny tcp any host 46.49.134.149 eq 443 << (wont redirect https traffic to proxy)
deny tcp any 10.0.0.0 0.255.255.255 eq www << (wont redirect http traffic to proxy)
deny tcp any 10.0.0.0 0.255.255.255 eq 443 << (wont redirect https traffic to proxy)
deny tcp any 192.168.0.0 0.0.255.255 eq www << (wont redirect http traffic to proxy)
deny tcp any 192.168.0.0 0.0.255.255 eq 443 << (wont redirect https traffic to proxy)
deny tcp any 172.16.0.0 0.15.255.255 eq www << (wont redirect http traffic to proxy)
deny tcp any 172.16.0.0 0.15.255.255 eq 443 << (wont redirect https traffic to proxy)
permit tcp any any eq 443 << (will redirect http/https traffic to proxy)
permit tcp any any eq www << (will redirect http traffic to proxy)
!
route-map Proxy permit 1
match ip address LAN
set ip next-hop 10.1.80.240
03-22-2019 10:51 AM
03-20-2019 08:26 PM
Hi,
the Wireshark capture which you shared with us doesn't have full details. I can see the only some UDP fragmented packets as you allowed the UDP port 80 and UDP 443.
The packet capture does not have a source or destination port details in the packet so it is very hard to tell you what your issue. As per ACL, there is only UDP & TCP port 80 and 443 are allowed. If possible share another capture.
One more point to notice that Google is using UDP port 443 for the https connection (when you will browse any google website in the Chrome Browser).
Regards,
Deepak Kumar
03-22-2019 11:00 AM
I have attached another capture file for PAPI traffic, PAPI is the protocol used by ArubaNetworks for manage Access Point, PAPI uses UDP as its transport protocol. The well known UDP port for PAPI traffic is 8211.
We have noticed many APs went down because of this issue :(
03-22-2019 11:35 PM
Hi,
Can you share a network diagram and complete configuration of this router?
Regards,
Deepak Kumar
03-24-2019 05:22 AM
03-24-2019 06:31 AM - edited 03-24-2019 06:31 AM
Hello @saleh.alsalamah
I cheked your configuration and your policy was applied only on port-channels and vlans.
There are other topic talking about the possible problem doing it.
Check here: https://community.cisco.com/t5/switching/service-policy-on-port-channel/td-p/2929746
I suggest to you apply your ip policy on pyshical interfaces either.
03-27-2019 02:51 AM
I applied the rule on the physical interface but still issue not resolved.
03-27-2019 04:39 AM
Hi,
Make below changes:
ip access-list extended LAN-Test
permit ip any 10.20.0.0 0.0.255.255
!
route-map Proxy permit 20
match ip address LAN-Test
Regards,
Deepak Kumar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide