cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2476
Views
0
Helpful
8
Replies

Issues with WSA and Akamai

dkorell
Level 1
Level 1

For over a month now we have had major issues with our WSAs running 8.0.6-119 and Akamai. First it started on a VM WSA and now on our physical WSAs that we just put into production. Basically we will notice all of our bandwidth is in use and using a packet sniffer we see a WSA talking to an Akamai website and consuming it all. When first troubleshooting it I would see about 160MB downloaded in about 20 seconds but when I look in the packets and match the traffic to a user the WSA shows maybe 5MB was downloaded. We also saw traffic coming into the WSAs from the inside would be maybe 15Mbps but going out to the Internet would be 50Mbps. We would reboot the WSAs and all would be good again sometimes for a day or even a week before it happened again.

Eventually this got so bad though that we put ACLs in our ASA to have certain blocks of offending Akamai IPs bypass the WSA. Sometimes new IPs would show up and cause problems and we would add those but it wasn't until a reboot of the WSA that it stopped. It's like it was stuck in a loop. Overall this has helped tremendously but this isn't the way it should be.

I opened a case with Cisco but they couldn't find anything. They would send me a list of the 10 top users consuming bandwidth but the WSA doesn't log the traffic to Akamai we're seeing to begin with. There is no spike in any of the WSA graphs.

I'm really hoping someone else has seen this. Being the only one, according to Cisco, is not helping.

 

 

8 Replies 8

Alexandra Giunta
Cisco Employee
Cisco Employee

Do you have range requests enabled?  By default this is turned off on the WSA.  Enabling range requests allows the WSA to honor the client's range request and download the file in chunks.  Otherwise, the WSA will strip the range request header and download the entire file before returning it to the client. 

So for example, if a client was streaming a 5MB video and requested that video in 32 different sections, the WSA would download the entire 5MB file every time an HTTP request was sent with a range header, equaling 160MB total that was downloaded.

The range requests are disabled by default because it does pose a security risk; now that you're downloading files in chunks, it is considerably harder for the malware/virus engines to check the data against signatures.

Hope this helps.

Thanks Alexandra for the tip on range requests. I have opened another case with TAC and have turned on and we'll see what happens. While reading up on it I also came across a bug in case anyone else has had issues with bandwidth consumption. I got the other bug from TAC.

 

https://tools.cisco.com/bugsearch/bug/CSCus00951/?referring_site=bugqvinvisibleredir

 

https://tools.cisco.com/bugsearch/bug/CSCus22943/?referring_site=bugqvinvisibleredir

 

 

I know this thread is 2 years old but it seems like I'm again running into the same issue with a WSA running 9.2.0-809, even though the referenced bug is fixed since 9.0.0-485.

I was wondering, dkorell, did enabling range requests on the WSA stop the problem from occuring again (I know about the security implications)?

I'm on 9.1.1 now and still having issues even with range requests forwarded. I actually have another TAC case open for it and we had the issue again yesterday and they had packet captures enabled on the WSAs to see what's going on. I also did packet captures on the network. I'm still waiting to hear what they found. To try an minimize the issue I have also turned off safe search and site content filtering which I wasn't really happy about. It's also been recommended to not use AVC filtering and I flat out refuse to do that. That's a big part of why we went to the WSAs. I can't rely solely on category filtering. At this point we are ready to dump Cisco for web filtering and this is their last chance.

Also having the same issues with Windows Updates

I have two WSUS servers and had to bypass the WSAs for them to work in the beginning. There is another forum discussion about this where people have tried other things. I just left them unfiltered.

Prab
Level 1
Level 1

Sidenote:

 

Consider a network setup:
Users <---> WSA <---> Firewall/Router <---> Internet

Possibly, the upstream firewall or router could not differentiate the web traffic from the end clients & the traffic generated from WSA itself. The upstream firewall or router will be seeing the WSA's IP as the source of all the traffic.
(WSA generates it own traffic. An example is the downloading signature updates for the engines etc.)

If you check the bandwidth usage on the WSA & compare with the bandwidth usage on the upstream firewall/router, you will most probably see a difference.

The bandwidth usage on WSA only considers the User generated traffic.
The bandwidth usage on the firewall/router = WSA self-generated traffic + User traffic coming via WSA

I created a EHN, to allow WSA to display the bandwidth usage that involves the traffic generated by WSA it self.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo74186

Hope it helps,
Prab

Prab
Level 1
Level 1

Sidenote:

 

Consider a network setup:
Users <---> WSA <---> Firewall/Router <---> Internet

Possibly, the upstream firewall or router could not differentiate the web traffic from the end clients & the traffic generated from WSA itself. The upstream firewall or router will be seeing the WSA's IP as the source of all the traffic.
(WSA generates it own traffic too. An example is the downloading signature updates for the engines etc.)

 

If you check the bandwidth usage on the WSA & compare with the bandwidth usage on the upstream firewall/router, you will most probably see a difference.

 

The bandwidth usage on WSA only considers the User generated traffic (Proxy traffic).


The bandwidth usage on the firewall/router = WSA self-generated traffic + User traffic coming via WSA

 

I created a EHN, to allow WSA to display the bandwidth usage that involves the traffic generated by WSA it self.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo74186

 

Hope it helps,
Prab

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: