Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ovt Bronze
Bronze

FYI: IOS APPFW / Zone-based Policy FW - results of testing

If Deep Packet Inspection for HTTP is enabled as follows:

R2811#sh class-map type inspect http

Class Map type inspect http match-any HTTP-DPI (id 16)

Match req-resp protocol-violation

Match request port-misuse any

Match response body java-applet

Match req-resp header content-type mismatch

Match req-resp header content-type unknown

Match req-resp header content-type violation

R2811#sh policy-map type inspect http

Policy Map type inspect http HTTP-DPI

Class HTTP-DPI

Log

Allow

Class class-default

the following results are observed:

1. http://www.yahoo.com never opens (note that policy doesn't deny anything, the action is "allow" and "log"). The diagnostics is %APPFW-4-HTTP_PROTOCOL_VIOLATION.

2. http://www.cisco.com opens with the diag: %APPFW-4-HTTP_DEOBFUSCATION

3. http://www.cisco.com/go/netpro (this site) opens with the diag: %APPFW-4-HTTP_CONT_TYPE_UNKNOWN,%APPFW-4-HTTP_DEOBFUSCATION, %APPFW-4-HTTP_CONT_TYPE_VIOLATION, %APPFW-3-HTTP_MAX_REQ_EXCEEDED: Number of unanswered HTTP requests exceeded the limit 10 - resetting session.

The last one is the most interesting. Extra sessions are reset. The performance is... It seems there is no way to increase the number of concurrent HTTP sessions in appfw / zone-based firewall. Does anybody know?

IOS 12.4(15)T

1339
Views
0
Helpful
0
Replies