Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
219
Views
2
Helpful
3
Replies

ASA dropping Azure Traffic manager http health probes

mmjcollett
Level 1
Level 1

‎04-26-2024 05:04 AM

Hi there,

I have two ASA's that need to respond to Azure traffic manager probes, basically the outside interface IP's are a DNS lookup in traffic manager, however the ASA's drop the http probes from ATM. We cannot find anything in the service policy that references HTTP/S and we have not changed the default policy. Any one any ideas please? Sometimes the ASA responds to the first probe and ATM shoes the endpoint as healthy then is drops them, cannot see anything about HTTP rate limits or anything referencing the Outside interface dropping packets. 

3 Replies 3

MHM Cisco World
VIP
VIP

‎04-26-2024 05:59 AM 

ciscoasa# show threat-detection statistics top tcp-intercept

 Ascertain ASA Threat Detection Functionality and Configuration - Cisco

if the ASA allow the connection then I think the threat-detection is drop http, try exclude the IP from it and check

MHM

0 Helpful

tvotna
Spotlight
Spotlight
In response to MHM Cisco World

‎04-26-2024 08:50 AM - edited ‎04-26-2024 10:11 AM

@mmjcollett, do you mean that Azure sends HTTPS probe to the ASA outside interface IP address and ASA needs to respond? What kind of response does it expect and do you know how requested URL look like? Are you sure that request reaches ASA (capture tool can help you)?

Neither Threat Detection, nor TCP Intercept process to-the-box packets as mentioned in the limitations section of the document provided by @MHM Cisco World , so not sure why he/she thinks that Threat Detection or TCP Intercept is the culprit. Perhaps didn't read it.

ASA has built-in limitation of 100 embryonic to-the-box connections, although it is hard to believe you are hitting this limit. Still, check "show conn all proto tcp addr <ASA IP> port 443". But even if the limit is reached, it only activates SYN cookies on the box, ASA still responds with SYN/ACK and accepts ACK from the client if it arrives. So, this feature and regular TCP Intercept as well should never drop incoming requests. They are here to only protect from clients which do IP spoofing.

 

 

0 Helpful

tvotna
Spotlight
Spotlight
In response to tvotna

‎04-26-2024 08:55 AM

Forgot to mention: does ASA have "webvpn" / "enable outside" configured to respond to probes?

Also, the mentioned limit is activated on interfaces with WebVPN enabled (i.e. if firewall listens on port TCP/443).

 

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card