FYI: IOS APPFW / Zone-based Policy FW - results of testing

Unanswered Question

If Deep Packet Inspection for HTTP is enabled as follows:

R2811#sh class-map type inspect http

Class Map type inspect http match-any HTTP-DPI (id 16)

Match req-resp protocol-violation

Match request port-misuse any

Match response body java-applet

Match req-resp header content-type mismatch

Match req-resp header content-type unknown

Match req-resp header content-type violation

R2811#sh policy-map type inspect http

Policy Map type inspect http HTTP-DPI

Class HTTP-DPI

Log

Allow

Class class-default

the following results are observed:

1. http://www.yahoo.com never opens (note that policy doesn't deny anything, the action is "allow" and "log"). The diagnostics is %APPFW-4-HTTP_PROTOCOL_VIOLATION.

2. http://www.cisco.com opens with the diag: %APPFW-4-HTTP_DEOBFUSCATION

3. http://www.cisco.com/go/netpro (this site) opens with the diag: %APPFW-4-HTTP_CONT_TYPE_UNKNOWN,%APPFW-4-HTTP_DEOBFUSCATION, %APPFW-4-HTTP_CONT_TYPE_VIOLATION, %APPFW-3-HTTP_MAX_REQ_EXCEEDED: Number of unanswered HTTP requests exceeded the limit 10 - resetting session.

The last one is the most interesting. Extra sessions are reset. The performance is... It seems there is no way to increase the number of concurrent HTTP sessions in appfw / zone-based firewall. Does anybody know?

IOS 12.4(15)T

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion