Guest

Preview Tool

Cisco Bug: CSCvu12067 - NBAR doing wrong identification of L7 Bit-torrent--->identifying Bit-torrent as amazon-web-services

Last Modified

May 29, 2020

Products (1)

  • Cisco XE SD-WAN Routers

Known Affected Releases

16.12.3

Description (partial)

Symptom:
Bittorent application is not getting blocking after calling it under ZBFW policy

Configuration:

policy
 zone-based-policy APP_TESTING_copy
    sequence 1
     match
      source-data-prefix-list Source_Prefix
      app-list TEST
     !
     action inspect
      log
     !
    !
  default-action drop
 !
  zone Internet_Zone
   vpn 0 
  !
  zone Service_Zone
   vpn 10 
  !
  zone-pair ZP_Service_Zone_Inter_1095548471
   source-zone Service_Zone
   destination-zone Internet_Zone
   zone-policy APP_TESTING_copy
  !
  zone-pair ZP_Internet_Zone_Servi_231064749
   source-zone Internet_Zone
   destination-zone Service_Zone
   zone-policy APP_TESTING_copy
  !
 lists
  data-prefix-list Source_Prefix
   ip-prefix 192.168.33.50/32 
  !
  local-app-list TEST
   app amazon 
   app bittorrent 
   app google-docs 
   app gtalk 
   app facebook 
  !
 !
 zone-to-nozone-internet deny
!

Conditions:
Bittorent application is not getting blocking after calling it under ZBFW policy

Could see following entries on cEdge, when opened bittorrent website from Web browser:

BR3-cEdge-1_Template#show sdwan app-fwd cflowd flows format table | in 54.230
10   192.168.33.50    54.230.70.66     58004  443    0     6      25     0       3      197     Tue May  5 07:52:04 2020  GigabitEthernet2  GigabitEthernet4  amazon-web-services  web                  No Drop               0       0        0    0      2      0     0     0      0      0     0
10   54.230.70.66     192.168.33.50    443    58003  0     6      24     0       21     5895    Tue May  5 07:52:01 2020  GigabitEthernet4  GigabitEthernet2  amazon-web-services  web                  No Drop               0       0        0    0      2      0     0     0      0      0     0
10   192.168.33.50    54.230.70.66     58003  443    0     6      24     0       18     3576    Tue May  5 07:51:45 2020  GigabitEthernet2  GigabitEthernet4  amazon-web-services  web                  No Drop               0       0        0    0      2      0     0     0      0      0     0

54.230.70.66 is Bittorrent IP address, NBAR is categorizing this IP address with "amazon-web-services" application family and hence forwarding the packets.

++ Later, I included amazon-web-services in the application list and was no longer able to browse bittorrent website:

BR3-cEdge-1_Template#show sdwan app-fwd cflowd flows format table | in 54.230
10   192.168.33.50    54.230.70.66     58003  443    0     6      24     0       2      240     Tue May  5 07:53:57 2020  Null              GigabitEthernet4  amazon-web-services  web                  FirewallL7            240     2        0    0      2      0     0     0      0      0     0
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.