Руководство По Устранению Ошибки для Cisco Cisco Web Security Appliance S670
It works like this:
Client sends HTTP GET with the IP source, its IP address (client IP address), and the destination
server IP address.
server IP address.
1.
The firewall or router intercepts the HTTP GET and forwards it via WCCP GRE or pure L2 to web
cache/WSA. The source is still the client IP address and the destination is still the web server IP
address.
cache/WSA. The source is still the client IP address and the destination is still the web server IP
address.
2.
The WSA inspects the request and, if it is legitimate, mirrors it towards the web server. Here the
destination IP address is the web server IP address and the source IP address might be the WSA or the
client, based on whether you enabled client IP address spoofing. For this example, it does not matter
because the return traffic in both cases has to hit the WSA.
destination IP address is the web server IP address and the source IP address might be the WSA or the
client, based on whether you enabled client IP address spoofing. For this example, it does not matter
because the return traffic in both cases has to hit the WSA.
3.
The return traffic is inspected at the WSA.
4.
The WSA sends the response to the client with the source IP address, ALWAYS the web server IP
address (so the client does not get suspicious), and the destiantion client IP address.
address (so the client does not get suspicious), and the destiantion client IP address.
5.
Problem
What happens if one of the routers from the diagram has to fragment the traffic? The WSA puts the DF bit on
packet number 5, but it has to be fragmented. The router drops it and tells the sender that fragmentation is
needed but the DF bit is set (ICMP type 3 code 4). After all, RFC 1191 has to work now and the sender must
lower its packet size.
packet number 5, but it has to be fragmented. The router drops it and tells the sender that fragmentation is
needed but the DF bit is set (ICMP type 3 code 4). After all, RFC 1191 has to work now and the sender must
lower its packet size.
With WCCP, the source IP address is the web server IP address, so this ICMP never goes to the WSA; rather,
it tries to go to the real web server (remember, this router on the bottom is not aware of WCCP). This is how
WCCP and path MTU discovery together sometimes break your network design.
it tries to go to the real web server (remember, this router on the bottom is not aware of WCCP). This is how
WCCP and path MTU discovery together sometimes break your network design.
Solution
There are four ways to solve this problem:
Discover the real MTU and then use etherconfig on the WSA to lower the interface's MTU.
Remember that the TCP header is 60, IP is 20, and when you use ICMP, that adds 8 bytes to the IP
header.
Remember that the TCP header is 60, IP is 20, and when you use ICMP, that adds 8 bytes to the IP
header.
•
Disable path MTU discovery (pathmtudiscovery CLI WSA command). This results in TCP MSS of
536, which might cause a performance problem.
536, which might cause a performance problem.
•
Change the network so there is no L3 fragmentation between the WSA and clients.
•
Use the ip tcp mss−adjust 1360 (or other calculated number) command on each Cisco router on the
way on the relevant interfaces.
way on the relevant interfaces.
•
Additional Notes
While this problem was under investigation, it was discovered that if you set the proxy explicitly into the
client for a couple of minutes and then remove it, the issue is resolved for the next four to five hours. This is
due to the fact that, in explicit mode, the path MTU discovery mechanism between the WSA and the client
works. Once the WSA discovers the path MTU, it stores it along with the discovered TCP MSS onto the
client for a couple of minutes and then remove it, the issue is resolved for the next four to five hours. This is
due to the fact that, in explicit mode, the path MTU discovery mechanism between the WSA and the client
works. Once the WSA discovers the path MTU, it stores it along with the discovered TCP MSS onto the