CSG C5(14) alters HTTP traffic if http accounting is enabled
Hi guys,
I'm facing an issue with some mobile handsets that connect to the internet to gather information from the vendor website (http tcp 80).
I have CSG 5.5(14) configured in this way:
ip csg policy HTTP
accounting type http customer-string INTERNET
ip csg content WWW
ip any tcp 80
replicate
vlan CLIENTVLAN
policy HTTP
inservice
Mobile handsets receive an error while trying to connect.
A trace (attached) shows an HTTP 502 (Bad Gateway).
If I create a more specific content without policy (and consequently without http accounting) like the following, everything works:
ip csg content MYCONTENT
ip 84.0.0.0 255.0.0.0 tcp 80
replicate
vlan CLIENTVLAN
inservice
My problem is that the DNS resolves that hostname each time with different IP address in different subnets, so I don't have a safe way to map the webserver to this new content.
My questions:
Is there any method to safely map that destination without involving an huge amount of IP address that should match WWW content instead?
Anyone knows what is the behavior of http accounting in CSG?
Thanks in advance.
Regards,
Riccardo
Each HTTP method must be initiated by the same endpoint that initiated the TCP connection.The CSG supports IP fragmentation for HTTP; Internet Message Application Protocol, version 4 (IMAP4); Post Office Protocol version 3 (POP3); Simple Mail Transfer Protocol (SMTP); Wireless Application Protocol (WAP) 2.0; and WAP 1.x, regardless of the order in which the flows arrive.Refer http://cisco.com/en/US/products/sw/wirelssw/ps779/products_configuration_guide_chapter09186a00806ab79a.html
Similar Messages
-
Is it possible to redirect https traffic to http in CSM?
Hello,
I have a requirement to redirect https traffic to http. Is it possible to do that in the CSM?
In the CSM documentation all redirect examples/config etc refer only to http traffic so I am wondering if the other way around is supported as well.
BTW I have already tried it on the CSM and it is not working. Everytime I try to reach the https url I get "ERROR_INTERNET_SECURITY_CHANNEL_ERROR" on http watch.
Thanks for any help offered.
MurtazaI don't have a config in hands for this.
I have done it before and know this is feasible.
The redirect is here :
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00802877f6.shtml
Just change the vip to be only accessible by the SSLM.
Create the appropriate redirect vserver.
On the SSLM, send the decrypted traffic to the vip address and port.
Just as if the Vip was a server.
Gilles. -
WSA blocking HTTPS traffic -allowing HTTP
We have two S170 WSA appliances configured as Guest Wi-Fi Internet proxy servers. The local network design is as follows:
WLC5508 (Foreign) >> WLC5508 (Anchor) >> ACE20 Context >> WSA 170 >> FWSM >> Internet
Guest traffic is authenticated via WCS using RADIUS but is disabled for now.
Clients associate to SSID, receive IP address via local DHCP scope on anchor WLC and forward all traffic to DFWG which is ACE20 interface.
ACE20 has specific class-maps for public DNS use and loadbalance policy-map which forwards all other traffic (excluding DNS) to WSA.
HTTP traffic works fine, HTTPS traffic fails. The HTTPS proxy service uses a local self-signed certificate for initial decryption of the session. The browser and WSA negotiates to use TLSv1 then the error below is shown.
Fails
57666018.658 32 192.168.244.1 NONE_SSL/200 0 TCP_CONNECT 10.153.9.6:443 - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - s-ip= 255.255.255.255 s-port= 443 webcat-code= - cs-version= 0 cs-auth-group= - c-port= 54930 cs-bytes= 0 wbrs-score= - wbrs-threat-reason= - wbrs-threat-type= - cs-user-agent= - cs-referer= - cs-cookie= -
1357666018.760 32 192.168.244.1 NONE_SSL/200 0 TCP_CONNECT 10.153.9.6:443 - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - s-ip= 255.255.255.255 s-port= 443 webcat-code= - cs-version= 0 cs-auth-group= - c-port= 54931 cs-bytes= 0 wbrs-score= - wbrs-threat-reason= - wbrs-threat-type= - cs-user-agent= - cs-referer= - cs-cookie= -
1357666018.799 0 192.168.244.1 TCP_DENIED_SSL/403 0 GET https://post.packetconsulting.com:443/owa - NONE/- - BLOCK_ADMIN-HTTPS-NonLocalDestination-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - s-ip= 255.255.255.255 s-port= 443 webcat-code= - cs-version= 1 cs-auth-group= - c-port= 54931 cs-bytes= 598 wbrs-score= - wbrs-threat-reason= - wbrs-threat-type= - cs-user-agent= "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB7.4; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 1.1.4322; InfoPath.2; Tablet PC 2.0; MS-RTC LM 8)" cs-referer= - cs-cookie= -
I have seen this error posted before but no resolution. I'm sure this is a config problem, but cannot figure why or where!
Any ideas, thoughts or help would be great...
CheersHi axa,
This is an access policy blocking the SSL traffic based on the TCP_DENIED_SSL / 403. Also I would suspect that you do not have HTTPS proxy enabled which would be required since your not using port 80 for 443 traffic. I would recommend opening a ticket with the WSA Content Security Team.
Sincerely,
Erik Kaiser
WSA CSE
WSA Cisco Forums Moderator
Message was edited by: Erik Kaiser -
Redirecting all HTTP traffic to HTTPS that will reverse proxy specific URI
-- Requirement --
I have a Sun web server 6.1 SP4 that sits in a DMZ that must securely reverse proxy traffic to an internal application server listening on 443.
The web server instance has two listen sockets, 80 and 443.
The web server instance must accept traffic on port 80 but re-direct it to 443 so all subsequent traffic with the client happens over HTTPS.
HTTPS traffic for "www.mydomain.com/myapp/" must be reverse proxied to the internal app server, "https://myapp.mydomain.com/myapp/".
-- Current set-up --
The server reverse proxies both HTTP and HTTPS traffic with the indicated URI.
How can I constrain the reverse proxying to HTTPS traffic?
Thanks for your help,
JezThanks Chris that worked perfectly.
Aside
Before your solution I had (unsuccessfully) tried the following obj.conf directive
<Client security="false">
NameTrans fn="redirect" from="/" url-prefix="https://www.mydomain.com/"
</Client>However, it didn't work - is it not possible to use the <Client security="false"> in this manner? -
Redirect HTTPS traffic to HTTP in Tomcat
Hi,
We are running SAP BI Platform 4.0 SP2 Patch 7, which runs on top of Tomcat 6.
We have succesfully configured our iPads to connect to our SAP BusinessObjects server using HTTPS in internet. We have an application proxy that handles HTTPS and sends plain HTTP to the SAP BusinessObjects server.
The problem is that same connection do not work when users are accessing our intranet, because the SAP BusinessObjects server only accepts HTTP requests in port 8080.
I have seen that Tomcat allows automatic redirections from HTTP to HTTPS ( using redirecPort parameter in HTTP connector definition ).
But is it possible the opposite, to switch automatically HTTPS to HTTP ?
Regards,
JoanHi,
At last we have activated HTTPS support in Tomcat. The idea was to avoid HTTPS in BOBJ servers to save CPU usage but after some tests we can afford it.
So no redirections are needed and the question is solved.
Thanks,
Joan -
Cisco ASA rely HTTP port to HTTPS without using CNAME DNS-record
Hi all,
could anyone tell me Is it possible to configure ASA so when customer rely http://domain.com Cisco ASA rely to https://domain.com (it's similar with CName function of domain record).
P.S. resource of domain.com located behind ASA and DNS A-record rely on public ASA ip address
Thank you.What version ASA are you running?
If the server has both static public and private IPs you could use NAT to redirect HTTP traffic to HTTPS based on IP.
object network PUBLIC_IP
host 1.1.1.1
object network REAL_IP
host 2.2.2.2
nat (inside,outside) static PUBLIC_IP http https
Keep in mind that you will also need a NAT statement that maintains https to the server.
Please remember to select a correct answer and rate helpful posts -
ISE Guest Portal only redirect HTTPS traffic.
I have a wireless deployment consisting of the following:
5760 WLC & ISE 1.2
Am I missing something here
I have 4 similar deployments, and never had these issues:
On Android / Apple devices, the guest portal does not pop up automatically &
On a Windows Laptop only https traffic directs to the guest portal.
Thanxi think you need to recheck the configuration also check the link for step by step config
http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-security/landing_DesignZone_TrustSec.html -
Hello,
I'm running Server 3.1.2 on OSX10.9, I was wondering if there was a way to send all traffic to http versions of webpages and not allow https?
I'm working at a school and our current content filter only works with http and doesn't filter https.
Sorry if I'm not clear, I'm new at this whole sysadmin thing.Hi,
You can do that with .htaccess or php
Here a link https://sites.google.com/site/onlyvalidation/page/301-redirect-https-to-http-on- apache-server
A+ -
Can a WLC redirect HTTPS traffic in a CWA environment
Hi Guys.
Regarding with ISE, CWA and WLC, I 'm seeing that when you connect to the SSID and open your navigator, if the URL is an HTTPS URL the traffic is not redirected to the ISE Portal using CWA. I though that the WebAuth Proxy Redirection Port option of the WLC only works when It has the portal (LWA) but not in CWA.
I only found information about the redirection of the traffic when is a HTTP connection (port 80).
Is it possible to redirect HTTPS traffic in a CWA deployment??, most of my users use Google Chrome and, in some scenarios, any search using Gooogle is in HTTPS mode and the captive portal is not shown.
Thanks.
Best regards.No, the WLC is not able to redirect HTTPS pages.
You can however add other ports(other than 80) that can be redirected incase of proxy etc.
HTH,
Steve
Please remember to rate useful posts, and mark questions as answered -
How to redirect https traffic to captive portal?
Any WLC controller model (8500/5508/2504/vWLC) version 7.3 and up..
This is unusual scenario wherein clients have a default homepage to https://www.google.com (sample only)
Typical http web redirection don't have any problem at all. When you open your browser and type http://www.google.com it will redirect to captive portal without any problem.
Is there any way to redirect https traffic to captive portal as well?redirection only happen on http traffic, a feature request has been issued to have the redirection happen on https.
please check the following
CSCar04580
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCar04580
Please make sure to rate correct answers -
Http Traffic Slow/Broken, ping fine
Hello,
I am writing because as of this morning all http traffic on my network has went to a snails pace. However, pings of all types work at normal speed, but fail approximately 5% of the time(Independent of pinging internal address or external).
I have a very basic setup, i do not really have any custom configures on anything. The only wifi authentication at the moment is WPA2-PSK. I have this network set up as a test bed for a new setup, its a good thing too because it is unusuable in its current state.
Network Setup:
3 3502i AP - Setup in Hreap mode - Connected to PoE Switch
1 2106 WLAN Controller - Connected to 2960
2960s Switch
Dell Layer 2 PoE Switch
Thanks!
SethSince you are using HREAP, I'd sniff the AP port. Make sure the traffic is flowing in both direcitons there before going further. You should also make sure to prune the VLAN that are not needed on the AP.
Also, make sure your ports are full duplex and not at half. -
QoS value for http traffic from IP Phone
Since the phone marks all voice with COS 5 and data traffic with COS 0. Does this also include traffic sourced from the IP Phone http? request when doing Directory Lookups, IP Phone Services.
Thanks!With 4.1 and up (not sure if 4.0 had this), this traffic is marked with TOS 3 or DSCP CS3 (24). You can modify this enterprise parameter to what ever you want.
DSCP for SCCP Phone-based Services :
This parameter specifies the Differentiated Service Code Point (DSCP) IP classification for IP phone services on SCCP-based phones, including any HTTP traffic. Note: You must restart SCCP-based phones for this parameter change to take effect.
This is a required field.
Default: default DSCP (000000).
Restart SCCP-based phones for the parameter change to take effect.
HTH
Sankar
PS: please remember to rate posts! -
Intercepting all http traffic and forwarding to VIP on CSM?
We would like to intercept all http traffic from clients from all vlans and redirect them to a VIP on the CSM for loadbalancing to 2 proxy servers. Is this possible? I can't seem to find a solution similar to our issue? Please help thanks!
Thx Giles! Do you mean a policy that uses route-maps with next-hop? So would I point the next-hop address to the CSM client vlan IP? Do you have a support link that covers this in detail? Thx!
-
Encapsulate ODBC traffice over HTTP???
Does anyone know if it's possible to have an external client (in the internet) make an ODBC connection to a database that is behind a firewall which only allows HTTP traffic to pass through? I guess the question is, Is is possible to encapsulate ODBC traffic over the HTTP protocol so that it can pass through the firewall?
Thanks in advance,
John SebastianProbably not easily, no.
If the firewall allows arbitrary traffic on port 80, you could configure the Oracle database to accept connections on that port and configure the tnsnames.ora on the client machine to use port 80. This wouldn't go through HTTP, so if the firewall is actually analyzing the traffic, you'd be out of luck, but it would work if the port is wide open. Of course, it is a terrible idea from a security perspective-- opening up databases to connections over the internet is a recipe for pain and suffering.
It is certainly possible to write an ODBC to HTTP proxy that converts an ODBC call into some sort of web service call and then write an HTTP to ODBC proxy that lives inside the firewall that translates the HTTP calls back into ODBC calls, but that is likely to be very slow. And a lot of code-- I'm not aware of any commercial utilities that do that sort of thing.
Generally, the proper way to do something like this is to use Oracle Connection Manager (or something similar that is baked in to certain firewall products) to proxy the Oracle connection through the firewall. But that requires changing the firewall setup and/or installing additional software.
Justin -
Force http traffic to specific interface
Just setup a 2801 router. We have a Serial interface card on it connected to a T1 and eth1 connected to DSL. We want to force web traffic (http, https, ftp) to use the DSL connection. I tried a simple access-list to allow http to the DSL and deny to the T1, however it didn't seem to work. Then I noticed that in the SDM it has "default" rultes that always enable http. Do I need to disable the http server to get this access list to work or is there an easier way to force web traffic to a specific interface?
Thanks in advance.I setup the route-map and access-list and applied it to FE 0/1 (DSL connection), however it still appears nothing is going through that interface. When I monitor it in the SDM, it shows 0% bandwidth usage.
Just to double check I unplugged the DSL to see if web traffic stopped, but it was still going, I assume through the T1 at S 0/2/0.
FE 0/0 goes to our fw, then to lan
FE 0/1 goes to DSL
S 0/2/0 goes to T1
Here is my config:
router#show run
Building configuration...
Current configuration : 4506 bytes
! Last configuration change at 10:29:45 MDT Fri Aug 4 2006 by admin
! NVRAM config last updated at 15:17:31 MDT Thu Aug 3 2006 by admin
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
boot-start-marker
boot system flash c2801-ipbasek9-mz.124-8.bin
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$EWDt$pvWzeNhilneb/EUJosxlv0
no aaa new-model
resource policy
clock timezone MDT -7
clock summer-time MDT date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
ip cef
ip tcp synwait-time 10
no ip bootp server
ip name-server 198.60.22.2
ip name-server 198.60.22.22
username admin privilege 15 secret 5 $1$TF47$aa8RLf18isZxIwjOKfdmZ.
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$
ip address 199.104.124.210 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
duplex auto
speed auto
no mop enabled
interface FastEthernet0/1
description $FW_OUTSIDE$$ETH-LAN$
ip address 192.168.2.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
ip policy route-map toDSL
duplex auto
speed auto
no mop enabled
interface FastEthernet0/1/0
interface FastEthernet0/1/1
interface FastEthernet0/1/2
interface FastEthernet0/1/3
interface Serial0/2/0
ip address 204.228.133.46 255.255.255.252
interface Vlan1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip route-cache flow
ip route 0.0.0.0 0.0.0.0 204.228.133.45
ip route 192.168.2.0 255.255.255.0 192.168.2.1
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
logging trap debugging
access-list 111 permit tcp any any eq www
no cdp run
route-map toDSL permit 1
match ip address 111
set ip next-hop 192.168.2.1
control-plane
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
exec-timeout 30 0
privilege level 15
login local
transport input ssh
transport output ssh
line vty 5 15
access-class 102 in
privilege level 15
login local
transport input ssh
scheduler allocate 20000 1000
ntp clock-period 17178101
ntp update-calendar
ntp server 198.60.22.240 source Serial0/2/0
end
Maybe you are looking for
-
Draw circles in swing..
hello. I'm making a program that draws circles in a frame and has some buttons in another program. However, there are some stack overflow errors.. help please~ [error messages] Exception in thread "main" java.lang.StackOverflowError at java.util.Hash
-
Aperture worked in Mavericks and then Stopped working
Updated to maverick and I updated Aperture as well. It all worked for a day or two but after that Aperture has refused to open. I reinstalled it twice with no luck. Does anyone have a recommendation? This is all it says to me now. :[
-
Satellite Pro A100 PSAACE: cannot install ATI display driver
Hi all, I have experienced a series of problems with my Mobility Radeon X1400 graphics card that I'm sure could be resolved by downloading the latest drivers. This I have to do from the Toshiba website as the ATI website offers no support for it. But
-
I have installed oracle 9i (verison 1) on a win 2k system. When trying out the brief test demos in the sqlj folder I get the error "exception in thread "main" java.lang.noclassfounderror: TestInstallJDBC. TesInstallJDBC is the test demo which comes i
-
Unable to update chart after onchange event
I have an OnChange event from my irpt containing a drop down box and an iSPCChart. I would like to have it when the user selects a number from the drop down list it passes the param and then refreshes the chart. I know everything works on this exce