Cisco Web Security Appliance Slowness issue

Similar Messages

• Cisco Web Security Virtual Appliance Demo license?

  Is there a demo license available to test Cisco Web Security Virtual Appliance?
  Regards.

  Thank you so much Kasper! You are an angel fallen from heaven!
  Just 1 question, when I am ready to get the License appears the next information, do you know if the number 1 in the Qty column means 1 demo for just 1 user? Or do you know if I can get 1 demo for many users?
  Regards!
  NA
  SKU Name
  Qty
  Ordered
  Available
  Quantity Added
  -->License Start Date:
  License End Date:
  1
  WSA-WSP-45D 
  1-->
  1
  -->1
  03/13/2014
  04/27/2014

• Ask the Expert:Cisco Web Security

  With Ryan Wager
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn about design, configuration and troubleshooting of the Cisco Web Security Solutions including Cisco Ironport WSA and Cisco ScanSafe with Cisco experts Kiran Sirupa and Ryan Wager. Kiran Sirupa is a technical marketing engineer in the product marketing team for the Cisco IronPort Web Security Appliance product line. He also works on documentation, partner ,and system engineering training. Kiran has been working in the Cisco Security Technologies group for more than six years. Ryan Wager is a technical marketing engineer at Cisco in the product management team for the ScanSafe Web Security platform. He is heavily involved with the product's integration with the Cisco Integrated Services Router Generation 2 platform, along with documentation, training, and testing of all new products and features. Before joining the product management team, Wagner spent two years as an implementation engineer helping ScanSafe's largest customers implement the platform into their networks.
  Remember to use the rating system to let Kiran and Ryan know if you have received an adequate response.  
  They might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community, discussion forum shortly after the event. This event lasts through October 7, 2011.. Visit this forum often to view responses to your questions and the questions of other community members.

  Yes, the IronPort WSA will support all the security functions including Anti-Virus, Anti-Malware, Anti-Spyware, Web Reputation when working in conjunction with an existing proxy.
  There are two conditions:
  1. WSA acts as an upstream proxy - In this case, the authentication will be handled by your existing proxy, but the WSA is the first layer of defense. The WSA will perform a lookup in its web reputation database based on the destination. Also, The WSA can scan the http response with Anti-Virus, Anti-SpyWare and Anti-Malware software. However, since the WSA doesn't have user authentication information, you can only apply global controls for Acceptable Use.
  2. WSA has to go through an existing upstream proxy - In this case, the WSA has all the security functionality. In addition, it also handles the authentication. Hence, you can apply role based controls.
  You may refer to the following links for more information:
  WSA Product Literature: http://www.cisco.com/en/US/products/ps10164/prod_literature.html
  Cisco Security Reports: http://www.cisco.com/en/US/prod/vpndevc/annual_security_report.html
  Cisco Security Intelligence Operations: http://tools.cisco.com/security/center/home.x

• Ironport web security appliance

  Hi,
  Just want to check if the IRONPORT
  S series web security appliances support
  failover/clustering of 2 boxes.
  thanks,

  Each Cisco IronPort web security appliance can be configured as a standalone proxy or to co-exist with other proxies (such as in a proxy hierarchy for conditional routing, failover and load balancing

• Warning System spameater Unable to connect to Cisco Web Security Service.; URL Filter...

  My C670 ESA's have been throwing these alerts intermittently for the past few days, anyone else seeing them?
  The Warning message is:
  Unable to connect to Cisco Web Security Service.
  URL Filtering will not work correctly.
  Please verify all network, proxy and firewall settings.
  Connection to "v2.sds.cisco.com" failed.
  The last error seen on this connection: "Request failed with code: 28 (Connection time-out)"
  Version: 8.5.6-092
  Looks like it is open on port 443 and currently up.  Hitting it with a browser gives me:
  https://v2.sds.cisco.com/
  After an error or two they go away and appear OK.   
  Checking the logs I don't see a way to verify URL lookups are working, is there a way?
  Also, I setup URL filtering six months ago and had it set to only trigger on (-10)-(-9.5) and saw about an 80% false positive.  It has improved over the past six months drastically but still catching mostly advertising URLs and allowing all phishing URLs right through.  I've yet to see it block a phishing URL.
  Jason

  After lots of trial and error, I was able to eliminate this problem.  What I wound up doing is defining the XE service again in the listener.ora file:
  SID_LIST_LISTENER =
    (SID_LIST =
      (SID_DESC =
        (SID_NAME = XE)
        (ORACLE_HOME = C:\ProgramData\oraclexe\app\oracle\product\11.2.0\server)
  I know that typically you should not have to do this, especially since I already had defined DEFAULT_SERIVCE_LISTENER = (XE) at the bottom of the listener.ora file.  Explicitly defining the XE service in the listener.ora file allows the listener to find it while the system is running under the Cisco AnyConnect VPN.  The only hiccup I found by doing this is that the XE service is discovered twice by the listener when the system is NOT running under the Cisco AnyConnect VPN.  It still works OK.  The listener just seems to ignore the repeated definition of the XE service (see output below):
  C:\ProgramData\oraclexe\app\oracle\product\11.2.0\server\bin>lsnrctl service
  LSNRCTL for 32-bit Windows: Version 11.2.0.2.0 - Production on 13-JUN-2013 10:03:15
  .......(omitted output).......
  Service "XE" has 2 instance(s).
    Instance "XE", status UNKNOWN, has 1 handler(s) for this service...
      Handler(s):
        "DEDICATED" established:0 refused:0
           LOCAL SERVER
    Instance "xe", status READY, has 1 handler(s) for this service...
      Handler(s):
        "DEDICATED" established:0 refused:0 state:ready
           LOCAL SERVER
  Service "XEXDB" has 1 instance(s).
    Instance "xe", status READY, has 1 handler(s) for this service...
      Handler(s):
        "D000" established:0 refused:0 current:0 max:1022 state:ready
           DISPATCHER <machine: DEV-M-137GF, pid: 5544>
  (ADDRESS=(PROTOCOL=tcp)(HOST=DEV-M-137GF.paychex.com)(PORT=58257))
  The command completed successfully
  If anyone has a cleaner solution for this problem, please let me know.  Otherwise, I am moving forward with what I did.
  Thanks.....Paul

• Ask the Expert: Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features)

  With Namit Agarwal and Rahul Govindan 
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features) with experts Namit Agarwal and Rahul Govindan.
  This is a continuation of the live webcast.
  Cisco ASA CX (Context-Aware) is a next generation firewall service that serves as an extension to the Cisco Adaptive Security Appliance (ASA) firewall platform. In addition to the proven stateful inspection firewall capabilities, it provides us with next-generation capabilities and a host of additional network-based security controls for end-to-end network intelligence and streamlined security operations.
  Namit Agarwal is a customer support engineer at the Cisco Technical Assistance Center in Bangalore, India. He has more than four years of experience in the security domain. His areas of expertise include ASA firewalls, IPS, and ASA content-aware security (ASA CX). He has been involved in various escalation requests from around the world. He holds CCIE certification (number 33795) in security.   
  Rahul Govindan has been an engineer with the Security Technical Assistance Center team in Bangalore for more than three years. He works on security technologies such as VPN; Cisco ASA firewalls; and authentication, authorization, and accounting. His particular expertise is in Secure Sockets Layer VPN and IP security VPN technologies. He holds CCIE certification (number 29948) in security.
  Remember to use the rating system to let Namit and Govindan know if you have received an adequate response. 
  Because of the volume expected during this event, Namit and Govindan might not be able to answer every question. Remember that you can continue the conversation in the Security community, subcommunity VPN shortly after the event. This event lasts through November 1, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.
  Webcast related links:
  Slides from the live webcast
  Video Recording of the live webcast
  Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features): FAQ from live webcast

  Hello Namit and Rahul,
  Here are few questions that came in directly during your live webcast hence posting them here so that users can benifit:
  1)      How is ASA CX different from other UTM solutions ?
  2)      How is dynamic application inspection of CX better than other inspection engines  ?
  3)      What features or functionalities on the CX are available by default ?
  4)      what are the different ways we can run or install CX on the ASA platform ?
  5)      What VPN features are supported with multi context ASA in the 9.x release ?
  6)      What are the IPv6 Enhancements in the ASA version 9.x ?
  Request you to please provide your responses to them individually.
  Thanks.

• SunBlade 100 to Cisco PIX Security Appliance

  I have a problem connecting a SunBlade 100 workstation with Cisco Routers, and the PIX Security Appliance at the Console ports of both a Cisco router and the Cisco PIX Security Appliance. This should be out of the serial port of the SunBlade 100 workstation..
  I have tried to use the UNIX command tip hardwire. No luck connecting to the console port. I also tried to use the UNIX cu command again no response from the console port. I tried connecting a modem temporarily to the SunBlade 100 workstation and was successful in echoing a phone number to a modem. However, I need to use a direct connection from the SunBlade 100 workstation.
  Currently, Windows 2000 workstations are used with
  Hyperterminal to connect to routers and the PIX Security Appliance. I have 24 SunBlade workstations in my classroom and need to use them to connect to the console port on Cisco routers, and the PIX Security Appliance. I would appreciate any help anyone might be able to give on this subject.

  Hello Namit and Rahul,
  Here are few questions that came in directly during your live webcast hence posting them here so that users can benifit:
  1)      How is ASA CX different from other UTM solutions ?
  2)      How is dynamic application inspection of CX better than other inspection engines  ?
  3)      What features or functionalities on the CX are available by default ?
  4)      what are the different ways we can run or install CX on the ASA platform ?
  5)      What VPN features are supported with multi context ASA in the 9.x release ?
  6)      What are the IPv6 Enhancements in the ASA version 9.x ?
  Request you to please provide your responses to them individually.
  Thanks.

• Cisco Email Security Appliance (ESA) - Reporting

  In previous versions on ESA you could export data and reports in CSV formats using an API. Is that still available?
  >From the following document :
  IRONPORT ASYNCOS 6.4 REPORTING API FOR IRONPORT APPLIANCES
  REPORTING API OVERVIEW
  The Reporting API feature allows you to download the same data collected by the Email Security Monitor component of the IronPort Email Security appliance or Security Management appliance in a comma separated value (CSV) format. This format allows users to integrate the IronPort appliance's data gathering capabilities into other IT and business reporting systems. 
  DOWNLOADING REPORTING DATA
  You can retrieve the data used to build the charts and graphs in the Email Security Monitor feature via HTTP. This is useful if you plan to perform further analysis on the data via other tools. The data is available in standard comma separated value (CSV) format. The easiest way to get the HTTP query you will need is to configure one of the Email Security Monitor pages to display the type of data you want. You can then simply click the Export... link to initiate the download process.

  It went away, there's a new one (RESTful) in 9.0/9.1
  http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa9-0/ESA_API_1-0_Getting_Started_Guide.pdf

• Clearing tcp sessions on the cisco acs secure appliance

  Hello,
  is there a possibility to view the number of tcp-session which are active on an acs secure appliance?
  Due to these hangups we have no connection to the appliance through web or console. So we are also interested in clearing the tcp-session instead of rebooting the appliance.
  Could somebody help us.
  thnx
  Torsten Waibel

  What is the acs software ver ?

• Cisco Web Portal Cancel button issues on IPAD/Iphones

  Hi All,
  Having an intermittent issue whereby when Ipads or iphones connect to our guest wireless webportal and authenticates (currently set to bypass) the 'cancel' button does not dissappear and change to 'done'.
  Most of the time it will change to 'done' and when the user clicks it, it will redirect to the desired website.
  Usually when the issue occurs, the user will click cancel and then need to re-associate to the SSID but during the 2nd re-association it connects through without the webportal prompt.
  Any suggestions or reasons why this is happening?
  The webportal is hosted on the controller.
  Thanks in advance,
  Wil

  I haven't really tested the play button bypass, but there is a way to trigger it when running in a normal browser. Don't know if the hack works on an iPad. There are numerous threads about it. Search for "cp.movie.play()"
  You can only stream from a server that is configured for streaming.

• BUG #CSCur27131 - Evaluation of CVE-2014-3566 on Cisco Email Security Appliance

  I have raised a support case with TAC to try and get more information on the preferred config as well as what Ciphers then become available. Points raised in the support case are as follows:
  Current config based from existing artilce pre-POODLE > MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH
  Should the new config be > MEDIUM:HIGH:-SSLv2:-SSLv3:-aNULL:@STRENGTH
  Use of strength meaning that the Ciphers are ordered and presented strongest to weakest as negotiation should occur at the first mutually accepted cipher.
  What are the TLSv1 Ciphers used by Ironport (verify under sslconfig CLI appears only to list SSL ciphers)
  Finally, does the Ironport support or plan to support in the future TLSv1.1 and TLSv1.2 ciphers?
  Response from TAC so far is the same as the referenced article - https://tools.cisco.com/bugsearch/bug/CSCur27131 which doesn't address all my points
  Paul

  Negating SSLv2 and SSLv3 in the cipher suite has no effect as long as only enabled TLSv1 is enabled.
  And reordering ciphers by strength won't bring anything since the client's ciphers order will always be preferred.
  Also, MD5 should be disabled as it's widely considered too weak for the job.
  My recommendation would be to use the following suite > HIGH:MEDIUM:!aNULL:!MD5

• Cisco Adaptive Security Appliance Software Version 8.2(4)

  Dear All
  I was configure IPSEC vpn on ASA5540 and i have problem with port blocked.  I am unable to block server ports to remote users.  See below configuration.   I need to configure vpn filter list can any one help me to configure vpn filter list. 
  access-list portal extended permit ip host 10.1.xx.33 192.168.20.0 255.255.255.0
  access-list portal extended permit ip host 10.1.xx.34 192.168.20.0 255.255.255.0
  access-list portal extended permit ip host 10.1.yy.33 192.168.20.0 255.255.255.0
  access-list portal extended permit ip host 10.1.yy.34 192.168.20.0 255.255.255.0
  group-policy portal internal
  group-policy portal attributes
  dns-server value 10.1.10.33 10.1.10.34
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value portal
  default-domain value abc.com
  split-dns value abc.com
  address-pools value vpnpool
  tunnel-group portal type remote-access
  tunnel-group portal general-attributes
  address-pool vpnpool
  authentication-server-group ACS
  default-group-policy portal
  tunnel-group portal ipsec-attributes
  pre-shared-key *&******
  I need to block this access-list and open only port 53 dns
  access-list portal extended permit ip host 10.1.yy.33 192.168.20.0 255.255.255.0
  access-list portal extended permit ip host 10.1.yy.34 192.168.20.0 255.255.255.0
  I write this access-list but it will not work and its open all ports.
  access-list portal extended permit udp 10.1.yyy.33 eq 53 192.168.20.0 255.255.255.0, but this access-list will not work and its open all ports like remote desktop, ftp, icmp, etc.
  any body can help me plz.
  anybody can help me how to used vpn filter list to block port or protocol based.

  Hi,
  You can have the split tunnel ACL named as portal and configured as below:
  access-list portal extended permit ip host 10.1.xx.33 192.168.20.0 255.255.255.0
  access-list portal extended permit ip host 10.1.xx.34 192.168.20.0 255.255.255.0
  access-list portal extended permit ip host 10.1.yy.33 192.168.20.0 255.255.255.0
  access-list portal extended permit ip host 10.1.yy.34 192.168.20.0 255.255.255.0
  You can configure a vpn-filter ACL like below:
  access-list VPNF extended permit udp 10.1.yyy.33 eq 53 192.168.20.0 255.255.255.0
  and then apply this VPNF access-list under the group-policy "portal" using the command vpn-filter value VPNF. Let me know if this helps.
  Regards,
  Prapanch

• Demo License for Virtual Image of Web Security

  Hello,
  I had downloaded the latest image for Virtual WSA.
  But I am not able to get the demo  license for that.
  It is showing the message "Access to the page resitricted."
  Thank you -- and you helpp will be appriciated..
  regards
  Hozefa

  Hello,
  You should have privileges as long as you are logging into the site using your CCO ID. If you do not have one please register for a CCO ID on www.cisco.com and you should have access to get a demo license. If you are logging in with your CCO ID and its still giving you the error message then you will need to reach out to your Cisco Account manager to provide the demo license. I apologize for any inconvenience this causes.
  Best Regards,
  Michael Hautekeete
  Customer Support Engineer
  Cisco Content Security - Web Security Appliance
  http://www.cisco.com/en/US/products/ps11169/serv_group_home.html
  https://supportforums.cisco.com/community/netpro/security/web
  https://supportforums.cisco.com/community/feeds?community=2091

• Windows 8 64 bit issues with Cisco AnyConnect Secure Mobility Client version 3.1.04072

  I am having an issue with the Cisco AnyConnect Secure Mobility Client version 3.1.04072 on a Windows 8 64 bit laptop.
  I am able to create the VPN connection but the connection will not allow data to be transferred.
  Stats from a manual connection:
  Cisco AnyConnect Secure Mobility Client Version 3.1.04072
  VPN Stats
      Bytes Received:  14375
      Bytes Sent:  0
      Compressed Bytes Received:  0
      Compressed Bytes Sent:  0
      Compressed Packets Received:  0
      Compressed Packets Sent:  0
      Control Bytes Received:  0
      Control Bytes Sent:  0
      Control Packets Received:  0
      Control Packets Sent:  0
      Encrypted Bytes Received:  7820
      Encrypted Bytes Sent:  1207
      Encrypted Packets Received:  9
      Encrypted Packets Sent:  3
      Inbound Bypassed Packets:  0
      Inbound Discarded Packets:  0
      Outbound Bypassed Packets:  0
      Outbound Discarded Packets:  0
      Packets Received:  4
      Packets Sent:  0
      Time Connected:  00:03:01
  Protocol Info
      Inactive Protocol
          Protocol Cipher:  RSA_3DES_168_SHA1
          Protocol Compression:  None
          Protocol State:  Disconnected
          Protocol:  DTLS
      Active Protocol
          Protocol Cipher:  RSA_3DES_168_SHA1
          Protocol Compression:  Deflate
          Protocol State:  Connected
          Protocol:  TLS
  OS Version
      Windows 8 : WinNT 6.2.9200
  Log from the data transmission software:
  24/12/2013 12:51:13 - Application version = 1.11.28.0
  24/12/2013 12:51:13 - Lodgement Library Version =  1.11.28.0
  24/12/2013 12:51:13 - Connection Method =  INTERNET
  24/12/2013 12:51:13 - DIS Connection Type = Automatic
  24/12/2013 12:51:13 - VPN Client =  ACTIVE
  24/12/2013 12:51:13 - Check Available Connections =  NOT ACTIVE
  24/12/2013 12:51:13 - Windows 8 (6.2.9200 SP )
  24/12/2013 12:51:13 - Language: English (Australia)
  24/12/2013 12:51:13 -
  24/12/2013 12:51:13 - Connected to ISP via LAN
  24/12/2013 12:51:13 - Checking for presence of VPN client.
  24/12/2013 12:51:13 - VPN client found. (C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpncli.exe)
  24/12/2013 12:51:13 - The Cisco AnyConnect Secure Mobility Client application is in use.
  24/12/2013 12:51:18 - Terminating Cisco AnyConnect Secure Mobility Client in progress ...
  24/12/2013 12:51:18 -
  24/12/2013 12:51:18 - Checking Cisco AnyConnect  version.
  24/12/2013 12:51:19 - Cisco AnyConnect Secure Mobility Client (version 3.1.04072) .
  24/12/2013 12:51:19 - Copyright (c) 2004 - 2013 Cisco Systems, Inc.  All Rights Reserved.
  24/12/2013 12:51:19 - Config file directory:C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\
  24/12/2013 12:51:19 -
  24/12/2013 12:51:19 - Loading profile:C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\ELS-IMelAde-TCP.xml
  24/12/2013 12:51:19 -
  24/12/2013 12:51:19 - Initializing the VPN connection.
  24/12/2013 12:51:19 - Ready to connect.
  24/12/2013 12:51:19 - Ready to connect.
  24/12/2013 12:51:19 - Contacting ELS-IMelAde-TCP.
  24/12/2013 12:51:23 - Authenticating user.
  24/12/2013 12:51:23 - Connected to VPN concentrator.
  24/12/2013 12:51:23 - Establishing VPN session...
  24/12/2013 12:51:23 - Checking for profile updates...
  24/12/2013 12:51:23 - Checking for product updates...
  24/12/2013 12:51:23 - Checking for customization updates...
  24/12/2013 12:51:23 - Performing any required updates...
  24/12/2013 12:51:23 - Establishing VPN session...
  24/12/2013 12:51:23 - Establishing VPN - Initiating connection...
  24/12/2013 12:51:24 - Establishing VPN - Examining system...
  24/12/2013 12:51:24 - Establishing VPN - Activating VPN adapter...
  24/12/2013 12:51:24 - Establishing VPN - Configuring system...
  24/12/2013 12:51:24 - Establishing VPN...
  24/12/2013 12:51:24 - Connected to VPN concentrator.
  24/12/2013 12:51:24 - Connected to ELS-IMelAde-TCP.
  24/12/2013 12:51:24 - Connected to VPN concentrator.
  24/12/2013 12:51:24 - Connection to VPN client return code = 0.
  24/12/2013 12:51:24 - Connected to VPN concentrator.
  24/12/2013 12:51:24 - Connecting : Connecting to 203.202.43.2.
  24/12/2013 12:51:45 - Error in ConnectToDIS - Socket Error # 10060
  Connection timed out.
  24/12/2013 12:51:46 -
  24/12/2013 12:51:46 - Disconnecting from the VPN concentrator.
  24/12/2013 12:51:46 - Disconnect in progress, please wait...
  24/12/2013 12:51:46 - Detaching AnyConnect, please wait...
  24/12/2013 12:51:47 - Detached.
  24/12/2013 12:51:47 - Disconnected from VPN concentrator.
  24/12/2013 12:51:47 - *****************************************************
  24/12/2013 12:51:47 -               END OF LODGEMENT PROCESS
  24/12/2013 12:51:47 - *****************************************************
  Issue history:
  - Previously running Cisco VPN client on Windows 8 64 bit laptop (VPN working and able to transmit data over VPN)
  - Upgrade to Windows 8.1 stopped the VPN client working
  - Refreshed system back to Windows 8 and reinstalled all software
  - Cisco VPN client would not install on system
  - Cisco AnyConnect Secure Mobility Client installs and is able to connect to VPN host
  - Cisco AnyConnect Secure Mobility Client downloads and installs software from VPN host
  - Data transmission software returns error code #10060
  Any assistance would be greatly appreciated.

  anyone found the fix for this?

• Issues reconnecting with cisco anyconnect secure mobility client when plugged in via ethernet

  Hi,
  I have a laptop running Windows 8 x64 with the Cisco AnyConnect Secure Mobility Client version 3.1.02040.  Ethernet and Wireless enabled.  by default, ethernet works primarily until the system detects that ethernet is down, i.e. undocked from docking station, it should switch to wireless.
  Problem:  When connected to vpn via ethernet card, it connects without any issues, but when i disconnect it takes a few seconds to disconnect, like 10+ seconds.  I try to reconnect to vpn but it says something is wrong with the vpn client and to restart the OS.  I restart and my system just takes forever to restart and eventually it will restart, but the OS will generate a MS crash dump. 
  If i undock my laptop and connect to vpn via my wireless card, everything works fine.  i can disconnect from vpn and it does it in a few seconds, I can reconnect without any issues.
  please advise...thanks.
  dan

  anyone found the fix for this?