Guest

Preview Tool

Cisco Bug: CSCvj01340 - Inconsistent URL categorization to block sites

Last Modified

Jul 10, 2018

Products (1)

  • Cisco Firepower Management Center

Known Affected Releases

6.2.2

Description (partial)

Symptom:
URL didn't get blocked for https://www.binnys.com and https://www.saucey.com, when those are part of Alcohol & Tobacco categorization, even when there are an SSL Policy and ACP to block these kind of sites

Firewall engine debug logs:

Apr  5 00:45:20 ciscoasa SF-IMS[17361]: NGFWDbg 192.168.4.195-42865 > 38.124.14.41-443 6 AS 4 I 0: DataMessaging_GetURLData: returning URL_PENDINGTYPE for www.binnys.com
Apr  5 00:45:20 ciscoasa SF-IMS[17361]: NGFWDbg 192.168.4.195-42865 > 38.124.14.41-443 6 AS 4 I 0 rule order 2, id 268434433 Cannot Retry: *.binnys.com waited: 2000ms
Apr  5 00:45:20 ciscoasa SF-IMS[17361]: NGFWDbg 192.168.4.195-42865 > 38.124.14.41-443 6 AS 4 I 0 no match rule order 2, id 268434433 url=(*.binnys.com) c=65534 r=0
Apr  5 00:45:20 ciscoasa SF-IMS[17361]: NGFWDbg 192.168.4.195-42865 > 38.124.14.41-443 6 AS 4 I 0 match rule order 3, id 268434434 action Allow
Apr  5 00:45:20 ciscoasa SF-IMS[17361]: NGFWDbg 192.168.4.195-42865 > 38.124.14.41-443 6 AS 4 I 0 allow action

Ssl logs:

2018-04-05 00:45:19.987 isSNIURLLookupContextPending:356 (M) [66.0] SNI Url lookup pending for www.binnys.com
2018-04-05 00:45:19.987 doRuleConditionsMatch:545 (M) [66.0] Rule #1 (DR-3-URL-Category) conditions don't match
2018-04-05 00:45:20.536 (V) [66.0] Verdict callback. Pending server name URL lookup.  Forced to take default verdict.

Conditions:
This is a random behavior, as sometime the URL is blocked, some other times is not
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.