cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
596
Views
0
Helpful
4
Replies

Problem connecting to a website though ASA

CSCO10631105
Level 1
Level 1

I have an ASA and connection to the internet. I'm currently having problems with connectivity to a server which dishes out WMP DRM licenses. I read the 'known problem' relating to the MSS but this doesn't seem to be the problem as the values stated in the SYN and SYN-ACK's via an Etheral capture on my laptop look OK. The server responds after the HTTP GET with a HTTP 500 error. I've tried the same site/license HTTP string on my home broadband with a PIX and all works a treat. Any suggestions or next steps? Cheers

4 Replies 4

CSCO10631105
Level 1
Level 1

Update:

During a succesful conection to the server an Etheral capture shows that the server responded to the HTTP get with a "(TCP previous segment lost), continuation or non HTTP traffic" which contained half of my HTTP web address string. Then a duplictae ACK is sent from the client, then the server responds with a TCP re-transmission of the 'HTTP found' command. This happen EVERY time, I guess this is the source of the problem as the ASA must not like this duplication/retransmission.

Can anyone help!?

Cheers

Is there anyone who can help?

I've been reading this in the documentation......

Set the maximum number of out-of-order packets that can be queued for a TCP connection:

hostname(config-tcp-map)# queue-limit pkt_num

Where pkt_num specifies the maximum number of out-of-order packets. The range is 0 to 250 and the default is 0

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/protect.html

The default for a PIX OS 6 is 3 - could this be why the ASA is discarding the out of sequence packets?

You can see if the o-o-o packets are causing your issue by looking at the 'show asp drop' command. There is a counter called Out of order packet buffer full. If this counter increments quickly, you need to increase the number of buffers. Here is an explanation on how to change the buffer size:

1) Define an access-list for interesting traffic:

access-list tcp-queue-limit extended permit tcp any any eq 80

access-list tcp-queue-limit extended permit tcp any eq 80 any

access-list tcp-queue-limit extended permit tcp any any eq 443

access-list tcp-queue-limit extended permit tcp any eq 443 any

This only defines it for port 80 and 443 traffic.

2) Define your tcp-map:

tcp-map queue-limit-map

queue-limit 6

3) Define a class map:

class-map tcp-queue-limit

match access-list tcp-queue-limit

4) now match everything up in your policy map that is/will be applied globally:

policy-map global_policy

class tcp-queue-limit

set connection advanced-options queue-limit-map

Note: this can only be done on an ASA not a PIX

******** Please Rate *****************

Jay

Cheers but I dont see any TCP errors when I look at the 'sh asp drop' output.

Could it be an MTU issue?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: