Cant block "skype" traffic By Nbar !!??
Hiiii ,
im trying to block traffic of skype by cisco NBAR , i have cisco router 1941
with ios :
System image file is "flash0:c1900-universalk9-mz.SPA.152-4.M5.bin"
im trying to match skype traffic by "match protocol skype"
but it dont match !!!
i googled , i found many articles that say that new lastet version of skype use https protocol for VOIP !!!
so , im here asking
wt other factors i can wotk so that i match skype traffic ?
i need to stop skype , whatsupp , viber traffic
i have a big difficulties with that , cause all of then use https !!!!
can we match hello messages or packets length and block them ?
i found somebody says :
route-map block-skype-https permit 10
match lenght 112 112
set interface null 0
not sure if this info is correct !
plz advice me...
regards
any help ???
do ui need next generation firewall ? or ssl firewall or something like that ?
Similar Messages
-
WSA s170 - How to block skype and download
Hi,
I recently changed my proxy solution from BlueCoat ProxySG to Cisco WSA but I'm finding some difficulties to operate the appliance.
a - I can't have multiple defaults route
b - How can I block skype traffic?
c - How can I block download
d - No graphical interface for logging
I hope some here can help me. Because I don't know yet if it was a good choice change the solution that used to work like a charm.
If some one can also point the other good things I can do with this appliance should be good.
Best regards,
AlcidesIt sounds like it may be best for you to reach out to the sales person that sold you this appliance. But some quick answers for you:
a) You can go to Network > Routes. You can set routes based on destinations. What exactly are you trying to do with multiple default routes? Are you trying to get some kind of fail-over setup? If so, this cannot be done. You can contact TAC and ask that they submit a feature request for this.
b) Skype can be blocked by the WSA, but after Skype determines that it cannot logon via port 80 or 443, it will start trying every port ever existed until it gets access. Are you ready to block all other ports at the firewall?
c) You can block a download by file types under Access Policies > Mime Type.
d) There is web tracking. But if you want to view live logs in the GUI, that is not available. Consider contacting TAC and asking for a feature request as well.
It sounds like you are very used to the Bluecoat. Different products will have different features. -
ASA5505 - Blocking internal traffic between 2 servers
Hi guys/ladies
I have a cisco ASA5505, it runs a wide site to site VPN network and has 4 servers connected to it
10.50.15.4 > fileserver
10.50.15.5 > domain controller (exchange)
10.50.15.6 > terminal server
10.50.15.7 > terminal server
Now yesterday i removed 10.50.15.6 and replaced it with a new terminal server with the same ip address, ever since the ASA is blocking traffic between it and the domain controller (example)
2
Oct 27 2012
14:51:05
106007
10.50.15.6
55978
DNS
Deny inbound UDP from 10.50.15.6/55978 to 10.50.15.5/53 due to DNS Query
What has me baffled is the only thing different between today and yesterday is the new server is windows server 2008 and the old one was windows server 2003. The new server has the same LAN ip address as the old one to make the changeover seamless for the users.
Any idea why all the sudden my ASA has decided to block the traffic between those machines? all the other machines can talk to it fine just not the domain controller, and seeing that this is a terminal server naturally you can see the problem i face!
Any help you can give would be great as this router has worked flawlessly for 2 years now without any config changes and i cant work out why its blocking traffic between those 2 machines.Result of the command: "show cap asp | include 10.50.15.6"
15: 10:09:21.796849 802.1Q vlan#1 P0 10.50.15.6.58810 > 10.50.15.5.389: udp 163
16: 10:09:22.189153 802.1Q vlan#1 P0 10.50.15.6.58810 > 10.50.15.5.389: udp 163 Drop-reason: (acl-drop) Flow is denied by configured rule
17: 10:09:22.596252 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53: udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
18: 10:09:23.625913 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53: udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
19: 10:09:24.625227 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53: udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
20: 10:09:26.635236 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53: udp 86
25: 10:09:30.653500 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53: udp 86
27: 10:09:34.655025 802.1Q vlan#1 P0 10.50.15.6.137 > 10.50.15.255.137: udp 50 Drop-reason: (acl-drop) Flow is denied by configured rule
28: 10:09:34.655071 802.1Q vlan#1 P0 10.50.15.6.138 > 10.50.15.255.138: udp 237
29: 10:09:34.655193 802.1Q vlan#1 P0 10.50.15.6.138 > 10.50.15.5.138: udp 237 Drop-reason: (acl-drop) Flow is denied by configured rule
30: 10:09:34.764700 802.1Q vlan#1 P0 10.50.15.6.49854 > 10.50.15.5.88: S 1487640872:1487640872(0) win 8192 Drop-reason: (acl-drop) Flow is denied by configured rule
31: 10:09:34.899337 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53: udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
32: 10:09:35.901946 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53: udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
33: 10:09:36.915937 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53: udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
34: 10:09:37.773916 802.1Q vlan#1 P0 10.50.15.6.49854 > 10.50.15.5.88: S 1487640872:1487640872(0) win 8192 Drop-reason: (acl-drop) Flow is denied by configured rule
35: 10:09:38.942715 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53: udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
37: 10:09:42.937695 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53: udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
38: 10:09:43.788579 802.1Q vlan#1 P0 10.50.15.6.49854 > 10.50.15.5.88: S 1487640872:1487640872(0) win 8192 Drop-reason: (acl-drop) Flow is denied by configured rule
41: 10:09:55.803608 802.1Q vlan#1 P0 10.50.15.6.54962 > 10.50.15.5.53: udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
42: 10:09:56.814166 802.1Q vlan#1 P0 10.50.15.6.54962 > 10.50.15.5.53: udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
43: 10:09:57.820804 802.1Q vlan#1 P0 10.50.15.6.54962 > 10.50.15.5.53: udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule -
ASA5520 allowing/blocking Skype
I have the following:
redundant ASA5520s on v8.2(1)
proxy server/web filter for blocking access to websites for staff/students
users who want to use Skype
Cisco Catalyst 4507 core
a dozen VLANs for staff/student/WiFi etc
Cisco core policy that routes 80/443 to transparent proxy on a WiFi VLAN
Windows desktops have direct proxy settings in IE
Pretty much all outbound ports are closed with 80/443 and a handful of specifics for various things open. Because of this Skype attempts to use 80/443 which are sent to the proxy server but bnecause they're not HTTP/HTTPS they cannot be understood. Skype attitude is to open 1024-65535 which is just plain stupid!
There's no way to specify which port(s) Skype uses for outbound. I tried opening 33000-33099 which worked perfectly for 2-3 devices (Win laptop, iPad) but others failed all the time.
I've seen people mention using an AIP-SSM module in the ASA for blocking Skype (and other things eg torrents). Is it possible to use this module to allow Skype eg on ports 1024-65535 whilst blocking any other application from using those ports?
Any advice on the handling of Skype in this configuration would be appreciated.Hi Steve,
To block skype is not that easy i am sharing a piece of work which i did some time ago. Hope it might be helpful in case you need to block skype.
Its just a workaround and you may decide your course of action
these are skype login servers:
"dir1.sd.skype.net:9010", "dir2.sd.skype.net:9010", "dir3.sd.skype.net:9010", "dir4.sd.skype.net:9010", "dir5.sd.skype.net:9010", "dir6.sd.skype.net:9010", "dir7.sd.skype.net:9010", "dir8.sd.skype.net:9010" "http1.sd.skype.net:80", "http2.sd.skype.net:80", "http3.sd.skype.net:80", "http4.sd.skype.net:80", "http5.sd.skype.net:80", "http6.sd.skype.net:80", "http7.sd.skype.net:80", "http8.sd.skype.net:80" Skype-SW connects randomly to 1-8.
if you want to block skype totally and dont want to spend alot on your firewall. you can use Squid proxy running on OpenBSD.
The below is not an accurate but near by or approximate study of how Skype operates, and is not a comprehensive analysis of its behaviour :
1) Skype will initially attempt to contact supernodes, the IPs of which are in a file stored along with the other files that Skype installs. The first method of contact is direct. The source ports that Skype attempts to connect from are non-default ports. From my observations I could see that the UDP source port 1247 is the initial control channel. Once the connection is established, the rest of the communications is done in TCP over non-default source ports with ranges sweeping from 2940-3000. In general, any company that is serious about its security policy would have strict egress filtering rules, which makes identifying the non-default source/destination ports that Skype uses irrelevant since they would be blocked anyway.
2) If the above fails, Skype will use the proxy server specified in Internet Explorer, and attempt to tunnel the traffic over port 443 using the SSL protocol. The destination IPs are of course random as above, which makes destination blocking out of the question. The only option left is to block SSL, which is not really a solution, unless you want to end up excluding all legal SSL destinations.Deleting the user's proxy settings would also disallow Skype from connecting. That would however leave the user without internet access. Even if the user had no proxy settings, and the proxying was done transparently (which would definitely include proxying http and https traffic), the Skype traffic (SSL) would again be transparently proxied, which puts us back at square one.
The Alternative That Works :
Internet access services in our corporate workplace are provided by our proxy servers. The setup is basically quid-proxy running over OpenBSD. PF (packet filter, OpenBSD's built-in firewall) takes care of all the egress/ingress filtering, and the rest of the content filtering is done in Squid using custom-written accesslists. Blocking Skype's default operation was a no-brainer, as our strict egress filtering rules block all outgoing traffic. The problem was with Skype detecting the user's proxy server, and tunneling its traffic over Squid. Upon checking Squid's access logs, all we could see was requests made by the user's machines using the 'Connect' method to random destination IPs.
As mentioned above, blocking SSL or the 'Connect' method, means blocking access to all legitimate websites that use SSL (Hotmail, Yahoo,E-banking, E-commerce websites, e.g any website that is secured by SSL).Should you go down that road, you would have to explicitly allow all permitted destinations (an ongoing technical nightmare).
The catch in successfully blocking Skype given all of the above, would be to block access to requests made by clients, to destination specified by their numeric IP address, AND using the 'Connect' method to tunnel the Skype data. I have done that simply by writing an access list in Squid that achieves just that. The access-list is in regex (regular expression) format that identifies numeric IP addresses. The access-list further specifies the connection method that the client is using. In Squid the 'Connect' method is conveniently called 'Connect' as well.
The access list then is of the following form :
# Your acl definitions
acl numeric_IPs urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
acl connect method CONNECT
# Apply your acls
http access deny connect numerics_IPs all
Regards
Anim Saxena
*Rate helpful posts* -
Cant download Skype at android from Google Play
Device Maker: Sony Ericsson
Device Name: Xperia x8
Device Model: E15i
Network Home from WiFi
Skype client version installed: Cant download
Hello guys...I log at market from my Android phone and i cant find skype at the Search Section...As well when i log at the Google Play to download skype it tells me "This application is not compatible with your device"...Can u please help me and tell me what is wrong with my xperia and i cant download it?Like 6 months ago i used to have it and now i cant even download it or find it through Market...Any idea will be helpfullSkype has been discontinuing / blocking access to certain platforms and operating systems so you must be running Android 2.3.x Gingerbread or higher to install it.
As far as I can tell the Xperia x8 is shipped with Android 1.6 upgradable to 2.1 which does not meet the minimum requirement for Skype.
It maybe possible to install unofficial mods of Android to get Gingerbread (aka Cyangenmod) but the process is messy, may brick your device not to mention void your warranty.
For what it's worth a new handset running Kitkat or higher would be a better solution since there's no telling how long Android Gingerbread would remain supported. -
Cisco RV042 Firewall Blocking LAN Traffic
Hello Everyone,
I currently have an RV042G with a downstream SG-300 connected to one of the LAN interfaces. Connected to the SG-300 are a couple servers running ESXi. Intervlan routing is working fine on the current setup; however, I only able to connect to my ESXi hosts on a separate VLAN for approximately a minute before the connection is dropped. I have concluded that the firewall seems to be culprit in blocking my traffic. If I turn the firewall off, everything acts as expected. There is a default "ANY/ANY" rule for LAN traffic enabled and I have added a couple extras allowing all traffic for IP ranges, but I still seem to be losing my connections. To make matters more confusing, I can see ACCESS_RULE events in the firewall logs permitting the traffic (or so I'm interpretting).
Regardless, here's how my rules currently stand below. I put another ANY/ANY rule in because the default didn't seem to be working -- I immediately was able to ping other hosts on different VLANs after adding the rule. I was under the assumption allowing all traffic from any source to any destination would make the LAN pretty accessible. I would appreciate any guidance or resources on this topic to set up some quick firewall rules to get things up and running. Thanks in advance.
Priority
Enable
Action
Service
Source
Interface
Source
Destination
Time
Day
Delete
123
Allow
All Traffic [1]
LAN
10.10.21.1 ~ 10.10.21.31
10.10.10.10 ~ 10.10.10.10
Always
123
Allow
All Traffic [1]
LAN
10.10.10.10 ~ 10.10.10.10
10.10.21.1 ~ 10.10.21.31
Always
123
Allow
All Traffic [1]
LAN
Any
Any
Always
Allow
All Traffic [1]
LAN
Any
Any
Always
Deny
All Traffic [1]
WAN1
Any
Any
Always
Deny
All Traffic [1]
WAN2
Any
Any
AlwaysI guess I should clarify, the SG-300 is running in Layer 3 mode, and the VLANs are defined on it; however, the static routes are defined on the RV042. Maybe there's a more efficient way of doing this?
Below is a scrubbed copy of my switch configuration.
config-file-header
SWITCH01
v1.3.5.58 / R750_NIK_1_35_647_358
CLI v1.0
set system mode router
vlan database
vlan 2
exit
no bonjour enable
hostname SWITCH01
no logging console
ip ssh server
ip ssh password-auth
clock timezone CEST +1
interface vlan 1
ip address 10.10.10.2 255.255.255.0
no ip address dhcp
interface vlan 2
name VIRTUAL-MANAGEMENT
ip address 10.10.21.1 255.255.255.224
interface gigabitethernet1
description ESXI01:VMNIC0:MGMT
switchport trunk allowed vlan add 2
interface gigabitethernet20
description UPLINK
exit
ip route 0.0.0.0 /0 10.10.10.1 metric 15
The routes I have defined is:
Destination IP
Subnet Mask
Default Gateway
Hop Count
Interface
10.10.21.0
255.255.255.224
10.10.10.2
1
eth0
10.10.10.0
255.255.255.0
0
eth0
255.255.252.0
0
eth1
239.0.0.0
255.0.0.0
0
eth0
default
0.0.0.0
40
eth1
Just to reiterate the problem, I am able to connect to hosts on VLAN 2 from my computer on VLAN 1, but I am disconnected a minute or so later. When the firewall is disabled, I have no issues with connecting to the host across VLANs and maintaining that connection. Maybe I have a misconfiguration somewhere that is causing some issues? I appreciate the help. -
BT is blocking specific traffic - Connection probl...
I started having this problem about two weeks ago, after multiple phonecalls to BT and a couple of emails nothing has been done, so hopefully someone on the forum can help.
The problem is the BT server that my hub connects to runs software to block specific traffic, I assume this is handy for restricted torrents or illegal downloads. But what it's blocking is a game called EVE Online, I used to play this game without a single problem until about two weeks ago. I logged in one day and the lag was unbearable, mainly due to the fact BT is blocking around 90% of packets that are sent to me. As I said, I used to be able to play no problem, but now I can't even go on for 2 minutes before I get kicked.
I've confirmed with the EVE support team that BT is causing the problem, EVE uses UDP and it only requires a packet loss of 5 consecutive packets before the game disconnects you. This may not seem like a lot, but due to the nature of it, any more than 5 packets can cause major problems in the game, so they just disconnect you. A friend of mine also had this problem, but to a lesser extent, but it did span accross multiple games, he has since then switched to another broadband provider which I will not name, and hasn't had the issue since. In EVE, recently BT have been known to block traffic, I'm not the first to ask EVE support for assistance on the matter, so they weren't strangers to the problem.
I've ran a program called Ping Plotter to the EVE server, for those of you unaware Ping Plotter is a useful tool to (as the name suggests) Plot the latency (ping) of your connection to the server. PP also records packet loss and the exact route the client is using to connect to the server. The results average about 90% packet loss, Below are the results of PP.
500 trace count, 1 second per trace.
Packet loss is highlighted in RED
BT IP's are highlighted in BLUE
EVE IP's are highlighted in GREEN
Target Name: srv200-g.ccp.cc
IP: 87.237.38.200
Date/Time: 21/01/2014 2:41:46 AM to 21/01/2014 2:50:12 AM
Hop Sent Error PL% Min Max Avg Host Name / [IP]
1 500 0 0.0 1 34 2 BThomehub.home [192.168.1.254] PC TO HUB
2 500 423 84.6 9 57 21 esr19.edinburgh8.broadband.bt.net [213.1.130.142] HUB TO BT
3 500 474 94.8 10 149 26 [213.1.130.125]
4 500 480 96.0 18 66 29 [213.1.69.74]
5 500 481 96.2 19 63 31 [31.55.165.77]
6 500 476 95.2 19 71 35 [31.55.165.107]
7 14 11 78.6 18 53 29 acc1-10GigE-4-1-3.mr.21cn-ipp.bt.net [109.159.250.114]
8 133 126 94.7 29 62 47 core2-te0-13-0-14.ilford.ukcore.bt.net [109.159.250.46]
9 262 238 90.8 27 69 47 peer3-te0-1-0-7.telehouse.ukcore.bt.net [109.159.254.251]
10 500 443 88.6 25 74 40 ccpgames.com [195.66.226.23]
11 500 465 93.0 25 69 42 te-d2-e2.ccp.cc [87.237.37.246]
12 500 422 84.4 25 77 38 srv200-g.ccp.cc [87.237.38.200]
As you can see, that is completely unacceptable. The connection between my PC to my HUB is perfect, from the HUB to BT is where things go pearshaped.
Onto another note, the three times I've phoned, I've spoken to someone reading from a card. What I mean by that is they haven't got a clue what they're speaking about. They are denying there is a problem because 'ping google' works fine. the first time I was redirected to the tech support, but then found out I wasn't paying for the service so I couldn't use it. The second time the advisor hung up on me when I requested to speak to her supervisor, and the third I hung up because the advisor claimed BT broadband isn't designed to support online gaming, and he said a 90% packet loss is to be expected when online gaming, alright then.
Any help whatsoever on this issue is greatly appreciated, If I've missed anything out just ask for it and i'll post it
Thanks.What home hub model do you have and have you tried rebooting it? Lots of UDP traffic can be difficult for some routers to handle due to inbuilt firewall, an older router or possibly a router thats starting to have problems might cause issues(Dust blocking airflow slowing the processor down) like this due to load on the processor of the router(These things normally have very slow processors). Have you tried running extended ping tests ? I'd try ping -n 1000 www.google.co.uk and ping -n 1000 www.bbc.co.uk additionally try using ping -l 750 -n 1000 www.google.co.uk and ping -l 750 -n 1000 www.bbc.co.uk , What package are you on are you sure you're not on a package with traffic shaping? If the devices BT use to shape traffic dont understand what eve is it might assume its P2P related and throttle it? A glasnost test should help there. But the package you are on should be Totally unlimited rather than just unlimited and was introduced from sometime around Feb last year I believe. If you are on an older contract you are probably being traffic shaped. Additionally its best to concentrate on Packet loss to servers rather than to routers. Backbone routers are often setup to depriorize icmp traffic directed to their own addresses except from servers used to manage them, concentrating on packet loss to intermediate devices is often a red herring.
There are various utilities out there that can test a tcp or UDP in a similar sort of way to ping, however the remote servers if they are protected by firewalls and IDP systems might detect that as an anomoly and block it as a possible attack. -
I cant to skype on my laptop anymore
i cant to skype on my laptop anymore
kindly provide a more detailed description of the problem you are experiencing.
CONTACT SKYPE CUSTOMER SERVICE | HOW TO RECORD SKYPE VIDEO CALLS | HOW TO HANDLE SUPICIOUS CALLS AND MESSAGES | WINDOWS PROBLEMS TROUBLESHOOTING | SKYPE DOWNLOAD LINKS
MORE TIPS, TRICKS AND UPDATES AT
skypefordummies.blogspot.com -
Cant download skype for windows
trying to download skype for windows and when i run the instill file it comes up with a error
(installing skype failed code 163 and do everything it asks but cant find skype on the uninstall list can anybody helpTry to install the currently latest Skype 7.6.0.105 version using this installer: http://download.skype.com/msi/SkypeSetup_7.6.0.105.msi
-
Cant open skype on windows 8.1
Hello.I cant open skype on windows 8.1.This isnt happend before.I can login but i cant open the window.
Please, run the DirectX diagnostics tool. Go to Windows Start and in the Run box type dxdiag.exe and press the OK button. This will start the DirectX diagnostics program. Run this diagnostics and save the results to a file. Please, attach this file to your post. Be aware that you will have to zip this file before attaching it here.
-
ACLs on Dot11Radio interface blocks ALL traffic
On an AP1220 w/IOS 12.2(11)JA1, all traffic is blocked when an ACL is applied on either the RF interface or the FastE interface, even explicitly permitted traffic. Also, using the "log" command after an ACL line fails to log anything. Below is the ACL I want to apply to the Dot11Radio 0 interface. It blocks ALL traffic:
access-list 100 permit udp any any eq bootpc log
access-list 100 permit tcp any host 10.0.0.1 eq 1723 log
access-list 100 permit gre any host 10.0.0.1 log
access-list 100 deny ip any any log
Here is a test ACL that blocked ALL traffic, as well:
access-list 101 permit udp any any log
access-list 101 permit tcp any any log
access-list 101 permit icmp any any log
access-list 101 permit ip any any log
Both ACLs blocked all traffic and failed to log a single event. If the ACL is removed, everything works. HELP!It's a known bug CSCec28612 - AP1200 access-list doesnt work on radio int with a log keyword
-
Any help on blocking Skype access on a school netw...
I just started helping with IT work at a middle school. The kids are always trying to waste time in class instead of working (nothing new there!) and part of my job is to cut access to games, social networking sites, etc... School isn't the place for those things, that's for after school / home. We're doing pretty well on most of this - IM stuff, Facebook, etc... but Skype is giving us trouble.
Can anyone provide some info on how we can block this at the network / firewall level? The kids have their own laptops so we can't block the program itself.Considering you can't even block skype on the firewall then the network is hardly going to know the difference between there "break time" and when they are in a lesson. Maybe do a time constrait? so during their lunch time the restrictions are lifted? And yes I agree they shouldn't be doing it when the teacher is talking to them, thats just rude. But it does annoy me that everyone suffers just because a couple people take advantage.
I used to be the hard working kid and I only played games occassionally but it was a right struggle. They will find a way to get round it anyway though. E.g. page 10 of google until they get to a certain game site or whatever. But yeah I would help you but I don't know how.
I also find it quite halarious that students are making exactly the same posts but with the complete opposite intentions haha! E.g. what proxy will let me have 10 minutes of fun in a ultra boring class. I mean lets face it, if they are bored enough to go on skype then they aren't going to take anything in even if they couldn't go on skype. They would just look at the walls or chat to there friends. I would suggest maybe using software which allows you to "see" there screens. Or let the teacher do it? With remote control included in it. So you could take control of there mouse and hit x . They had it in my school during the last 2 years and it worked. They even let me use it as an I.C.T prefect -
ASA5505 blocking return traffic
Our network has slowed to a crawl and upon investigation it looks as if the ASA5505 is blocking returning traffic. The syslog is full of these from legitimate sites:
2013-08-30 16:58:01 local4.critical 192.168.1.254 Aug 30 2013 16:53:38: %ASA-2-106001: Inbound TCP connection denied from 207.131.246.15/80 to aaa.bbb.ccc.xxx/46099 flags PSH ACK on interface outside\n
2013-08-30 16:58:03 local4.critical 192.168.1.254 Aug 30 2013 16:53:40: %ASA-2-106001: Inbound TCP connection denied from 207.131.246.15/80 to aaa.bbb.ccc.xxx/31820 flags ACK on interface outside\n
I'm not really sure where to go next so any help would be appreciated.
2013-08-30 16:58:01 local4.critical 192.168.1.254 Aug 30 2013 16:53:38: %ASA-2-106001: Inbound TCP connection denied from 207.131.246.15/80 to aaa.bbb.ccc.xxx/46099 flags PSH ACK on interface outside\n
2013-08-30 16:58:03 local4.critical 192.168.1.254 Aug 30 2013 16:53:40: %ASA-2-106001: Inbound TCP connection denied from 207.131.246.15/80 to aaa.bbb.ccc.xxx/31820 flags ACK on interface outside\n
We are also using Websense. I have a 'filter except' exception for the above examples (207.131.246.15) for both http and https. I have also reduced MTU to 1472 on the outside just to test. I also upgraded from 256 to 512 memory thinking maybe it was being stressed.
It seems to work for a while and then out of nowhere shuts everyone down from wherever they are browsing and then about 20 seconds to a minute later it starts up again.
I'm not really sure where to go next.
I have attached (what I hope is) a scrubbed config.
Thank you.I looked for asymmetric routing. We have one other router attached to the internet but that just does VPN to a datacenter and has a specific route set up on the gateway for it. Nothing else should be getting to it other than the single IP address routed to it.
It seems to be affecting any ip address that needs a persistant connection. As an example I had to download Chrome to a PC this morning and it kept losing connection about 50% through the download. So from my experiments what I can tell is that it makes the first connection no problem, but quickly dies after that and a new connection has to be made. Also when this happens the IP address being accessed shows up in the "SYN Attack" list in ADSM. I have attached an image of the issue. The number one item on the list is a website we use all day long. -
Blocking international traffic to BC site
Does anyone know how to block international traffic to a BC website? We recieive a flood of traffic for international countries that drastically distort our analytic reports. Thanks for any help....
I understand the usability issue. It sucks to not have the information right when you log in. Sorry.
It is normal to get visits from international countries though. Sometimes I get a lot of visits from specific countries like you did from Ukraine. This usually happens in our case when companies or bots are trying to post their links in our blog.
Take advantage of the captcha from BC if you don't use it yet in your forms. I found extremely helpful lowering the number of spam that I was getting in both my blog posts and contact request tickets.
These are some other links it might help you....
To exclude certain IP Adresses in BC
With Google Analytics these links may help you...
DATA FILTERS FOR VIEWS - Filter on geography
https://support.google.com/analytics/answer/1034773?hl=en&ref_topic=1034830
These are all the filters you can apply
https://support.google.com/analytics/answer/1034380?hl=en&ref_topic=1034830
Hope it helps.
PJ -
Please :( .. How to block Skype account ??
Hello,
please .. How to block Skype account ??
Someone set up an account on Skype and put the means of communication data sister of Mobile Numbers Ground and the number of the house and put the name of indecent and improper
Please help to continue to support Skype team to block or delete this account as soon as
this is fake Acount: amany_20133
thanksDear Readers;
Please review the information in this FAQ article:
Can I Delete My Skype Account?
and then please contact Skype Customer Service to file your request as indicated in the instructions.
Regards,
Elaine
Was your question answered? Please click on the Accept as a Solution link so everyone can quickly find what works! Like a post or want to say, "Thank You" - ?? Click on the Kudos button!
Trustworthy information: Brian Krebs: 3 Basic Rules for Online Safety and Consumer Reports: Guide to Internet Security Online Safety Tip: Change your passwords often!
Maybe you are looking for
-
EAS Error: Could not connect to Administration Server
Hi Genius, I have installed and configured Hyperion (11.1.2.1) Essbase & Planning successfully on windows server 2008 64 bit. For that I installed Oracle 10g Standard Edition as supported RDBMS. Due to RAM consumption I planned to install the Oracle
-
Exception when opening tools - prefereces
Hi- I just downloaded JDeveloper 9.0.3.1035 for Win 2000. Pointed it at a JDK 1.3.1, and ran the ojvm installer. When I try to open tools -> preferences, I get an error dialog with the following exception (below). Tried other JVMs without success. Ha
-
Hi, I was wondering if there was any way to run a screen saver on just the main display of an iMac and not the display attached through the video-out port. Thanks, Jason
-
Vdbench 504, SNIA, and EPA
If you are NOT downloading Vdbench as part of the SNIA and EPA power measurement effort, I HIGHLY suggest you download version 503 instead, unless you have some spare time to help me make sure that everything NOT EPA/SNIA related is still working fin
-
Menu and the icon representation will be disastrous small when highly scalable screens.
A Photoshop nuisance for years: The Photoshop menu bar at the top of the screen and the icon representation of the tool bar on the left of the screen will be disastrous small when highly scalable screens. The size is fixed as set in concrete, no matt