I am running an ASA with 8.0(2) code and http inspection enabled globally. For just one internet site in particular, it is virtually impossible to pull up a PDF page through a browser. It hangs up about 40% of the way through the 1.1MB download. I cleared the asp drop counters and put together some captures and was able to determine that the traffic is being dropped for one or both of the following reasons:
(1) tcp-acked - TCP DUP and has been ACKed
(2) tcp-buffer-timeout - TCP Out-of-Order packet buffer timeout
Disabling http inspection globally completely resolved the problem. The asp drops ceased and the PDF page would download perfectly. The problem is, however, that http inspection needs to remain enabled globally.
My task now is to disable http inpection for connections to just one website. I have attempted to use:
match access-list WEBSITEIP
policy-map type inspect http WEBSITEPM
the above config outputs:
ERROR: Specified class type is different from the policy-map type.
Can someone post a good config under the 8.0(2) code that that will accomplish the goal. Is it possible to disable http inspection for just one ip address while otherwise enabling it globally? Can I turn off asp functionality for just one site in any other way?