I have recently consolidated my infrastructure and moved a few websites from DataCenter1 to DataCenter2. DC1 was running a PIX 515 with 6.3.x IOS. DC2 was running an ASA 5510 with 7.0.4 IOS and has been for 18 months.
The websites that were moved from DC1 to DC2 have stopped functioning as designed. 10 of 500 people can no longer user the site. At first we had the ASA 5510 running 7.0.4 and these 10 users could not log into the site. When they tried to log into the site the site would take their credentials, authenticate them, create a session and sent the cookie. But the browser would just hang and not load the new page.
We then upgraded the ASA from 7.0.4 to 7.2.x. Now they can log in, but when they go to use some of the forms on the site they can fill in the data, but when they post the data it will just hang. Again the site is accepting the data, but it is like the post back it never received by the client.
we have turned off Inspect HTTP but that does not seem to make a difference.
To test a theory we grabbed another PIX 515 running 6.3.x and swapped it with the ASA at DC2. All sites work fine. As soon as I put the ASA back in I get the above scenario.
This problem may appear if the packets are getting dropped because of the TCP length exceeding the MSS. The workaround for this consists in allowing those packets in the policy. you may either want to enable for any type of traffic, or for specific traffic only. Here is the configuration lines to disable it globally:
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :