If Deep Packet Inspection for HTTP is enabled as follows:
R2811#sh class-map type inspect http
Class Map type inspect http match-any HTTP-DPI (id 16)
Match req-resp protocol-violation
Match request port-misuse any
Match response body java-applet
Match req-resp header content-type mismatch
Match req-resp header content-type unknown
Match req-resp header content-type violation
R2811#sh policy-map type inspect http
Policy Map type inspect http HTTP-DPI
the following results are observed:
1. http://www.yahoo.com never opens (note that policy doesn't deny anything, the action is "allow" and "log"). The diagnostics is %APPFW-4-HTTP_PROTOCOL_VIOLATION.
2. http://www.cisco.com opens with the diag: %APPFW-4-HTTP_DEOBFUSCATION
3. http://www.cisco.com/go/netpro (this site) opens with the diag: %APPFW-4-HTTP_CONT_TYPE_UNKNOWN,%APPFW-4-HTTP_DEOBFUSCATION, %APPFW-4-HTTP_CONT_TYPE_VIOLATION, %APPFW-3-HTTP_MAX_REQ_EXCEEDED: Number of unanswered HTTP requests exceeded the limit 10 - resetting session.
The last one is the most interesting. Extra sessions are reset. The performance is... It seems there is no way to increase the number of concurrent HTTP sessions in appfw / zone-based firewall. Does anybody know?