Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA5512X - HTTP browsing problem - TCP reassembly error, new fragment overlaps old data

Hello,

I am having this strange issue with the HTTP traffic passing through the firewall. There is no any policies configured on the CX module for web or application filtering however when I reload the CX module, the traffic is being allowed through the firewall only during the reload period of the CX module. Also reading the CX events it looks like the traffice is passing through fine. Attaching the screenshot.

The ASA5512-X is runing 9.1.3 software and I am running the tests with the IPSec VPN client as I am not on client's site (all the traffic goes through the FW, no split-tunnel). Once on VPN and accesing a website which initially runs on HTTPS and opens fine, then there are some URLs inside this website and look like they redirect to HTTP and come back to HTTPS (strangly designed portal but needed for production), on the PC I get a security warning of the information not being encrypted. When trying to open one of those URLs and after accpeting the security warning the website looks like keeps loading and loading but nothing happens, and when I disconnect from the VPN this URL opens instaltnly.

On the Wireshark I find this starnge error: [Reassembly error, protocol TCP: New fragment overlaps old data (retransmission?)] and this is sent from my PC IP address, not the server. Attached the conversation betwwen my PC and the web server from Wireshark.

I already tried modifying MTU and MSS values, also did the workaround according to the issue described  in the below URL, nothing helped so far.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113137-asa-83-browse-00.html

What do you think it maybe happening? I need some guidance on analysis of the packet capture and figure out what config on the FW could be blocking those HTTP requests. I desperate to fix this issues and already having few days trying to resolve it.

 

Thanks very much in advance.

Remi

 

 

1 REPLY
Community Member

OK, my recent finding is that

OK, my recent finding is that definitelly is the CX module that is causing the problmes. When I set the CX module in "monitor only" it does allow the traffic to pass through.

Anybody with CX configuration experience?

Thanks in advance.

6423
Views
0
Helpful
1
Replies
CreatePlease to create content