CSM 3.3.0, FWSM 4.0(6), HTTP Inspection

Similar Messages

• Disable http inspection in global_policy FWSM

  I am running 4.0(7) and we are experiencing some issues with downloads - specifically http downloads. Anything with an https link works fine.
  Looking into the config on the FWSM i see that under the global_policy we are inspecting http
  policy-map global_policy
   class inspection_default
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect skinny
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect icmp
    inspect http
  I would like to remove inspect http as a test to see if this is causing our problems, but am unsure of the impact of doing this?
  Also it is strange as this option has been there for a long time and our download issues have only recently started to happen, it does seem to be only for http links though?
  I don't really understand what the inspection engine does?

  Well,
  I removed the http inspection and it broke all inbound and outbound web services!
  Then I discover this
  url-server (WEB-Sense) vendor websense host 10.*.*.* timeout 30 protocol TCP version 1 connections 5
  filter url except 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 allow
  This web-sense server is down and no longer used.
  But am I correct to assume that the prescense of this config caused a problem as all http was trying to go via the Websense but with the http inspection enabled it is able to go out direct?
  I am unclear as to exactly how the inspection and the url-server / filter url commands interact.
  Thanks
  Roger

• CSM ip address is blocked by the FWSM

  Hello,
  I have csm 3.3.1 sp3 and fwsm 4.0(4), to monitor the fwsm i am using the device manager from the csm.
  The problem is that when asdm opens from csm it works for few seconds and csm losses connection to the fwsm.
  I checked the logs on the fwsm and i found that it denied the ip of csm on the inside interface of the fwsm with port 443.
  Off course i have enabled http server and allowed the ip of the csm to access the fwsm "http 10.139.2.253 255.255.255.255 inside"
  i tried to open the asdm from my own workstation and it worked fine without any problem.
  i also have ASA 8.2.1 which i monitor by csm without any problems.
  Any idea how to fix this issue? Why the FWSM is blocking the ip of CSM where it should not?
  Thank you and Regards,

  Hello,
  Has any body faced this problem before?
  When opening asdm for FWSM by the CSM client causes problem, where the asdm loose the connection after a while
  But when i open asdm directly and not bt csm client, it works fine.
  Regards,

• CSM, ASDM & FWSM versions

  Hi,
  Can anyone explain the interaction between CSM, ADSM & the FWSM I'm trying to work out if there are incompatible combinations with various versions.?
  It is my understanding that the CSM server makes a connection to port 443 on the FWSM so must be communicating with the installed ASDM version. We have a CSM 3.1.1 server & FWSM 3.1(4) installed, is there a specific ASDM version that should be installed on the FWSM when using CSM or can we just upgrade to the latest - the 6.1(x)F ASDM release notes says it is compatable with FWSM 3.1(4).
  One of the reasons I am checking is that we recently had an issue where an ACL entry was not being match correctly and the packets were being discarded by an entry further down the list. Originally the offending entry had the subnet referenced by IP/netmask, we changed the entry in CSM to use an object group for the same subnet and pushed the policy, the ACL then behaved as expected. We then changed the ACL back to IP/netmask in CSM, pushed the policy and it carried on matching correctly.
  During these changes the ACL order was identical and it wasn't anything complicated - the mask was a simple /24 subnet being referenced to allow a well known service port. We even have a test FWSM that is configured identically to the live one and the ACL worked fine on that during testing, the rules were copy & pasted from the test FWSM to the live FWSM in CSM.
  We are upgrading CSM to 3.3.1 next week so hopefully won't see this issue again.
  Regards
  Mel

  Thanks for the response.
  I fully understand the differences between ASDM & CSM and how they should be used. As it is, we only use CSM to configure the FWSM but we log in using CLI for troubleshooting.
  The question was asking how CSM talks to the FWSM using port 443. I presumed that when you upgraded the ASDM image on the FWSM this contained updates to the code that manages the incoming web connections on the FWSM i.e. fixed bugs, added functionality etc as well as updates to the software client that you can download.
  If I connect to my FWSM from my desktop using https://myfirewall/admin/index.html I get a choice of downloading and installing the ASDM GUI or running the ASDM as a java applet. Either way there is some code installed on the FWSM that these connect to i.e. a server process listening on port 443. I presumed that CSM would use the same management connections to the FWSM that the ASDM GUI does, the only difference being that CSM is intelligent enough to connect to multiple security devices at once. Whether you hit 'Submit & Deploy' or 'Apply' in your chosen GUI front end, the changes are pushed as a group of CLI commands in one go.
  Hence the original question about compatible code versions throughout the whole management chain. We have the FWSM software, we have the installed ASDM image on the FWSM module and we have the CSM software itself. All of which can be various versions and will contain capabilities and bugs pertaining to whatever version they are.
  With the ACL issue that we experienced we probably would not have had an issue if we had used just the CLI to input the changes, or if we used just the ASDM GUI, but a combination of all 3 factors may have created the issue with the dodgy ACL. Currently our FWSM web interface states it has 6.1F installed (since we are due to upgrade to CSM 3.3.1 I will leave it be) but if we were staying at CSM3.1.1 I would probably look at reverting the ASDM image to an earlier version on the FWSM, the FWSM image itself will stay at 3.1(4) and hopefully with that combination not see the ACL issue again.
  Hope that is a little clearer of what I am trying to understand.

• CSM client vlan addressing

  Hi there,
  I'm testing out some new topologies for a planned installation and I have a question about the addressing that should be used on the client vlan of the CSM.
  In my topology I'll be running the CSM adjacent to a FWSM, with the MSFC will be on the inside of the FWSM.  Typically I assign a router-router or router-FW link a /29 range and assign the actual devices addresses in that range.  In my first test I setup the CSM and FWSM in a /29, and used client side VIP addresses in a totally different range.  I added static routes to the FWSM to point to the CSM for those ranges and as far as I can tell it works great.  I also tried the setup with the CSM, FWSM, and VIP addresses all in the same /24 range, and it also worked great.
  So while it seems that both worked fine, is there any advantage or technical reason why one would be better than the other, or is it all a matter of choice?  I've attached a diagram to illustrate.
  Thanks,
  Brandon

  Hi Brandon,
  Any of the two options are perfectly valid, and I see no technical reasons to choose one over the other.
  Daniel

• CSM ret-code time-frame

  A company I work for has a number of CSM modules (WS-X6066-SLB-APC) installed in 6513 chasis switches. The CSM modules are running version
  4.2(14)
  These CSM modules are configured to load-balance a number of vservers via serverfarms, each serverfarm containing multiple real servers.
  Here is some example configuration:
  vserver SITE
    virtual 10.1.2.3 tcp www
    serverfarm SERVERFARM
    persistent rebalance
    inservice
  serverfarm SERVERFARM
    nat server
    no nat client
    predictor leastconns
    failaction reassign
    retcode-map RETCODE-MAP
    real 10.2.3.4
     inservice
    real 10.2.3.5
     inservice
  map RETCODE-MAP retcode
    match protocol http retcode 503 503 action remove 5 reset 300
  The company is facing a problem with what seems to be related to return code checking. Every once in a while a server will suddenly not receive any traffic for 5 minutes. This always occurs right after the server has sent a HTTP 503 return code. However we cannot see in the CSM logs that the CSM module has actually disabled the real server. For other serverfarms which are running regular HTTP and/or ICMP health checks to real servers we can clearly see in the CSM logs when a real server has been temporarily disabled due to health check failures.
  The return code checking is set to disable a real server for 300 seconds after the CSM has received five HTTP 503 responses from the real server. If we check the real server log however we cannot find more than that single 503 return code right before the server stops seeing any incoming traffic unless we move back at least hours in time.
  I have tried to figure out what time frame those 5 return codes must be received within for them to count towards the maximum allowed return codes, but nowhere in no documentation can I find any information about this time frame.
  For all I know the CSM could keep track of every incoming 503 forever, until the maximum of five 503's is reached, and then the server is disabled for 300 seconds.
  Does anyone have any information about the time frame within which those return codes must be received by the CSM to count toward the maximum configured number of return codes before the configured action is taken?

  Hi Christopher
  EDIT: It might actually be me who misunderstood your reply. You probably gave me the correct answer already, that there is no time limit at all to the counter, and the counter will increase until it reaches 5 even if those 503's are spread out over several months time. Could you please confirm that this is what you meant? I'll leave my original reply down below for you to look at.
  ORIGINAL MESSAGE:
  Thanks for your reply, but I think you might have misunderstood my question, and I don't exactly blame you because I had some difficulty explaining what I meant.
  I know what each and every key word in the following line mean, and I understand the command.
  match protocol http retcode 503 503 action remove 5 reset 300
  We match the protocol http, and look for when/if the server sends a return code 503 back to a client. Each time a 503 return code is returned from the real server a counter is increased by one. When the counter reaches 5 we take the action to remove (disable) the server. 300 seconds after the server was disabled it will be enabled again, and the counter will also be reset to zero at this point.
  But I'm asking about the time frame for the counter, or rather if there is a default timer that resets the counter back to zero after a certain amount of time. Let me give you an example.
  I enable return code checking for HTTP 503 and configure it to disable a server after five HTTP 503's have been seen by the CSM
  1 minute later the server sends three HTTP 503 messages to a client. Now the return code check counter is at 3. This is where the "time frame" that I speak of begins.
  Another 6 minutes later the server sends one HTTP 503 message to a client. The time frame within wich the CSM has seen HTTP 503's is now 6 minutes, so the CSM has seen four different HTTP 503's within 6 minutes. The counter would now be at 4.
  5 months later the server sends a fifth HTTP 503 message to a client. The time frame is now five months and six minutes. Will this fifth HTTP 503 message increase the return code check counter to 5? If it does, then the server will be disabled for 300 seconds, even though it was 5 months since the previous four 503's were seen by the CSM.
  What I'm wondering is basically if there is a limited time frame (like a sliding window) after which the return code check counter is reset back to zero? I cannot find any information about this, and as far as I can see there is no command I can use to see what the return code counter is currently at either, so I cannot manually verify this.
  It would have made sense if the feature worked like this instead, and I'm still hoping that someone can provide documentation that says this is the way it is supposed to work (because if the above example is true, then the feature is broken and useless)
  I enable return code checking for HTTP 503 and configure it to disable a server after five HTTP 503's have been seen by the CSM
  1 minute later the server sends three HTTP 503 messages to a client.  Now the return code check counter is at 3. This is where the "time  frame" that I speak of begins.
  5 minutes later the counter is reset to zero, because no 503's have been seen for over five minutes.
  2 months later the server sends a HTTP 503 message to a  client. This increases the counter to one. The server is never disabled. After another 5 minutes the counter is reset back to zero again.
  I hope that the above examples make it a bit clearer what I meant with my original question.

• Load Balancing with a CSM & SSL Module

  I'm trying to understand the best way to balance traffic to two servers when decrypting and re-encrypting with the CSM and an SSL module. I take the SSL traffic hitting the first CSM VIP and forward to the SSL module for decryption. Send the decrypted traffic back to another VIP on the CSM. Send the traffic to the client proxy VIP on the SSL which encrypts the traffic and forwards to the CSM VIP. That final VIP passes the traffic to the serverfarm containing the actual servers. How do I make sure the traffic is balanced between the final VIP and my servers. It seems that sticking on SSL session ID is the only way to go at that point which made decryption pointless. I feel like I'm missing something basic here.
  Thanks..

  Hi David,
  Here find some full config example for your perusal for CSM and SSL Services Module Initial Configuration Example
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a0080216c16.shtml
  2nd config example to Configuring CSM to Load Balance SSL to a Farm of SCAs for One-Armed Proxy Mode
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00801aca55.shtml
  Sachin garg

• HTTPS Keepalive with the CSM & SSL Module

  Has anyone had any success getting a secured web page for a keepalive using the CSM with and SSL module. If so can post an example?
  Thank you,
  Dave

  Hi David,
  Here find some full config example for your perusal for CSM and SSL Services Module Initial Configuration Example
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a0080216c16.shtml
  2nd config example to Configuring CSM to Load Balance SSL to a Farm of SCAs for One-Armed Proxy Mode
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00801aca55.shtml
  Sachin garg

• CSM HTTPS or SSL Health Probe

  We are currently using TCP probe for HTTPS webServer health checking. Is there a HTTPS or SSL probe available on CSM to send a url to detect if the HTTPS Apache WebServer is up or not?
  Many Thx, Q.Xie

  You can download the TCL script file from the same locstion as the CSM software.
  In this TCL file you should find the following scripts
  [root@linux-1 cisco]# cat /tftpboot/c6slb-apc.4-2-1.tcl | grep -i "name ="
  #!name = CHECKPORT_STD_SCRIPT
  #!name = ECHO_PROBE_SCRIPT
  #!name = FINGER_PROBE_SCRIPT
  #!name = FTP_PROBE_SCRIPT
  #!name = HTTPCONTENT_PROBE
  #!name = HTTPHEADER_PROBE
  #!name = HTTPPROXY_PROBE
  #!name = HTTP_PROBE_SCRIPT
  #!name = IMAP_PROBE
  #!name = LDAP_PROBE
  #!name = MAIL_PROBE
  #!name = POP3_PROBE
  #!name = PROBENOTICE_PROBE
  #!name = RTSP_PROBE
  #!name = SSL_PROBE_SCRIPT
  #!name = TFTP_PROBE
  There is a SSL_PROBE_SCRIPT that will verify that the SSL server respond to a client SSL HELLO message.
  It does not verify if you can send an HTTP request.
  It only sends a HELLO as a client and wait for the server HELLO.
  With the SSLM for the CSM, there might be a way to achieve HTTPS probe.
  I never tried it, but the solution I see would be to create an HTTP probe on the CSM and direct to the SSLM which will do the encryption and forward it to the server.
  Regards,
  Gilles

• Two FWSM module act as Single

  Hi ALL,
  We have two switches and TWo FWSM module is inserted into the Two switches .Can I add the FWSM as a separate device instead of module because i can't telnet the fwsm from Switch.Customer is not ready to configure the telnet option.FWSM module is working as a active and active mode..so virtual single ip is configured....How can i add the FWSM module in this network.

  You can use as the separate device. For the further description the following URL for the configuration for the FWSM will help you
  http://www.cisco.com/en/US/docs/security/fwsm/fwsm23/configuration/guide/context.html

• Satellite Pro U940 - How to downgrade from Win 8 to Win 7 64bit?

  Actually I want to downgrate mi laptop (Satellite Pro serie U940) since Windows 8 to Windows 7.
  But, when I choose the hard disk to format and to install the new System Operative (W7 64bits) I read this message: "No signed device drivers were found.".
  Please guys, help me..!!

  Hi all,
  I have my Toshiba U940 bougth in Spain with Win8 pre-installation but some drivers dont work fine and I want to donwgrade to win7.
  I have tried all the steps I read here:
  1) Changed BIOS to CSM mode.
  2) Download SATA drivers from http://en.file-upload.net/download-7845182/SATA.zip.html.
  3) Run the Win7 CD installation until the device is not found.
  Then, I load the 64b SATA drivers and it doesnt work with a message (spanish message) saying "It is not possible to install this driver...".
  Any ideas? Something I can forget?
  Many thanks in advance!
  Carlos.

• BizTalk Map - Xslt Issue

  Hi,
  Here is a piece of xslt, i need to replace the characters with their shortcode which are not supported in xml.
  For eg i need to replace '&' to '&amp' and similarly all other characters as mentioned
  Unsupported characters and their replacements:
  & - &
  < - &lt;
  > - &gt;
  " - &quot;
  ' - &#39;
  XSLT:
  <xsl:if test="/*[local-name()='Root' and namespace-uri()='http://schemas.microsoft.com/BizTalk/2003/aggschema']/*[local-name()='InputMessagePart_1' and namespace-uri()='']/*[local-name()='GetOrderDetailsByIdResponse' and namespace-uri()='http://tempuri.org/']/*[local-name()='GetOrderDetailsByIdResult'
  and namespace-uri()='http://tempuri.org/']/*[local-name()='TermsAndConditionList' and namespace-uri()='http://schemas.datacontract.org/2004/07/GEP.Cumulus.P2P.BusinessEntities']/*[local-name()='TermsAndCondition' and namespace-uri()='http://schemas.datacontract.org/2004/07/Gep.Cumulus.CSM.Entities']/*[local-name()='TermsConditionText'
  and namespace-uri()='http://schemas.datacontract.org/2004/07/Gep.Cumulus.CSM.Entities']/text()">
  <Extrinsic>
  <HeaderExtrinsic>
  <TermsAndConditions>
  <xsl:for-each select="../s10:TermsAndConditionList">
  <xsl:for-each select="s9:TermsAndCondition">
  <xsl:if test="s9:TermsConditionText">
  <TermsAndCondition>
  <xsl:value-of select="s9:TermsConditionText/text()" /> 
  </TermsAndCondition>
  </xsl:if>
  </xsl:for-each>
  </xsl:for-each>
  </TermsAndConditions>
  </HeaderExtrinsic>
  </Extrinsic>
  </xsl:if>
  [Need to do it in the value coming from termandcondition text ie s9:TermsConditionText]
  Thanks in Advance

  Then go back to the source and explain to them that this is not valid XML, and you cannot consume it. Have you tried opening this XML in a web browser? or have an XML Disassemble Pipeline Component consume it?
  It should be 
  <ns5:TermsConditionText>Terms&amp;conditions</ns5:TermsConditionText>
  From the source, otherwise you will not be able to parse it as XML.
  Morten la Cour

• Using SSL Module to Encrypt HTTP post to external Server

  I would like to know if it's possible for a CSM with its SSL module to receive an HTTP POST from our internal web servers, encrypt that POST w/ SSL, and finally to forward the newly created SSL transmission to a remote external SSL server? If it is possible, is this good practice or is it better to let the web server do the encryption?

  this is possible.
  It is good practice if you do not want to overload your server with the heavy task of encryption/decryption.
  If your server is very powerfull and far from being used to its maximum capacity, you can do it on the server.
  Another advantage of using an SSL module is that the CSM will see your request in clear text and can therefore perform so *smart* loadbalancing before it gets encrypted by the SSL module.
  [ie: cookie stickyness, url hashing, ...]
  Regards,
  Gilles.

• How to clear cookies for a single domain?

  The new Developer Tools on IE 11 is terrible.
  Previously, we can clear session cookies for the current page or clear cookies for the whole domain (of the current page).  My page is now showing
  www.facebook.com and I am logged in to Facebook.  I click the Network icon followed by the Clear cookies icon.  Then I hit Enter in the Address box (note: not F5).  Fiddler2 shows that IE 11 is submitting lots
  of facebook.com cookies (act, c_ser, csm, p, presence, s, xs).
  According to
  http://msdn.microsoft.com/en-us/library/ie/dn255004(v=vs.85).aspx "Clear cookies ensures that all cookies related to the current domain are removed, so that you get the experience of loading the page for the first time."
  Are there any hidden configurations I must do to have Clear cookies to work?
  Thanks.
  PS: Chrome is so much more flexible.  Not only can I clear cookies for the domain of the current page, but also any or all domains which the current page loads via script.

  Hi,
  We just could clear the current domain through Clear cookies in the
  Network tab.
  It's recommended you post your question to the Internet Explorer Develop Center forum for further help.
  Internet Explorer Develop Center
  http://social.msdn.microsoft.com/Forums/ie/en-US/home?category=iedevelopment 
  Karen Hu
  TechNet Community Support

• ACE tcp & udp inspection

  Hi,
  I want to create a security model where one vlan is more trusted than the other (Like Pix/ASA or a router with inspection enabled). However, when i want to create a TCP or UDP inspection i can only select between a limited number of protocols.
  I've created 2 class maps :
  class-map match-all TCP_INSPECT
  2 match port tcp any
  class-map match-all UDP_INSPECT
  2 match port udp any
  The combined them into a policy-map :
  policy-map multi-match INSPECTION
  class TCP_INSPECT
  class UDP_INSPECT
  However when i enter the policy-map\TCP_INSPECT i can only choose between : dns Configure dns inspection ftp Configure ftp inspection http Configure http inspection icmp Configure icmp inspection rtsp Configure rtsp inspection
  However, i do have for example SMB traffic running from one vlan to the other. How can i inspect that traffic so i don't have to enter an extra access-list entry ?

  The ACE module comes with limited amount of security features.
  You will not have all the PIX or FWSM features on the ACE module.
  This is mostly a loadbalancer with some security features.
  Gilles.