Cisco Cisco ASR 5000 Guida Alla Risoluzione Dei Problemi
Contents
Introduction
Problem
Troubleshoot
Solution
Sample Configuration
Related Cisco Support Community Discussions
Introduction
This document describes a specific scenario in which the subscriber uses free-rate applications
such as Whatsapp, Snapchat etc. with Secure Sockets Layer (SSL) flows while blocking other
user traffic. This particular application runs on Cisco Aggregated Service Routers (ASR) 5x00
series. SSL is a computer networking protocol that manages server authentication, client
authentication and encrypted communication between servers and clients.
such as Whatsapp, Snapchat etc. with Secure Sockets Layer (SSL) flows while blocking other
user traffic. This particular application runs on Cisco Aggregated Service Routers (ASR) 5x00
series. SSL is a computer networking protocol that manages server authentication, client
authentication and encrypted communication between servers and clients.
Problem
To detect any app, you need some initial packets for the analysis. These two contradictory
requirements are fulfilled to the maximum extent possible.
requirements are fulfilled to the maximum extent possible.
a) Detection must happen in the first packet itself
b) Detection accuracy must be 100%
If you try to fullfill requirement (a) & mark all the apps in the first packet (that is not practically
possible), the requirement (b) on detection accuracy suffers.In order to make the detection
accuracy good, you need more packets to analyze lot of apps ( there are apps & flows where the
app is detected in the first packet itself). In case of the same app, it can happen that you are able
to mark some flows in the first packet itself while other flows of the same app need more packets
for analysis.
possible), the requirement (b) on detection accuracy suffers.In order to make the detection
accuracy good, you need more packets to analyze lot of apps ( there are apps & flows where the
app is detected in the first packet itself). In case of the same app, it can happen that you are able
to mark some flows in the first packet itself while other flows of the same app need more packets
for analysis.
So if any of app is free-rated while blocking any other traffic, it can happen that the initial packet of
the app does not get detected as it does not carry sufficient information. In particular case of apps
based on SSL flows, the protocol is marked using either the server-name-indication field present in
the client-hello packet or the common-name present in the SSL certificate. As the server-name is
optional field, it is not always present. As shown in this image, in a Whatsapp SSL flow, after
Three-Way-Handshake (TWH) the client hello packet is sent by the app. A PCAP trace showing
no Server Name Indication (SNI) field. Also seen are multiple retransmissions of client hello
packets that eventually get dropped.
the app does not get detected as it does not carry sufficient information. In particular case of apps
based on SSL flows, the protocol is marked using either the server-name-indication field present in
the client-hello packet or the common-name present in the SSL certificate. As the server-name is
optional field, it is not always present. As shown in this image, in a Whatsapp SSL flow, after
Three-Way-Handshake (TWH) the client hello packet is sent by the app. A PCAP trace showing
no Server Name Indication (SNI) field. Also seen are multiple retransmissions of client hello
packets that eventually get dropped.