tcp-acked tcp-buffer-timeout inspect http

Unanswered Question
Aug 28th, 2009
User Badges:


I am running an ASA with 8.0(2) code and http inspection enabled globally. For just one internet site in particular, it is virtually impossible to pull up a PDF page through a browser. It hangs up about 40% of the way through the 1.1MB download. I cleared the asp drop counters and put together some captures and was able to determine that the traffic is being dropped for one or both of the following reasons:


(1) tcp-acked - TCP DUP and has been ACKed

(2) tcp-buffer-timeout - TCP Out-of-Order packet buffer timeout


Disabling http inspection globally completely resolved the problem. The asp drops ceased and the PDF page would download perfectly. The problem is, however, that http inspection needs to remain enabled globally.


My task now is to disable http inpection for connections to just one website. I have attempted to use:


class-map WEBSITECM

match access-list WEBSITEIP


policy-map type inspect http WEBSITEPM

parameters

class WEBSITECM


the above config outputs:

ERROR: Specified class type is different from the policy-map type.


Can someone post a good config under the 8.0(2) code that that will accomplish the goal. Is it possible to disable http inspection for just one ip address while otherwise enabling it globally? Can I turn off asp functionality for just one site in any other way?


Thank You

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jumora Mon, 11/18/2013 - 20:01
User Badges:
  • Cisco Employee,

That is a policy-map type with a none class-map type, type with type none type with none type

Actions

This Discussion