Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Http inspection dropping all http traffic

I am testing out some inspection options on an ASA 5505, and I am running into a situation in which applying a http inspection is dropping all outbound http traffic. I get a "protocol violation" error in the logs.

Here is the setup: I'm not sure why the web traffic is getting dropped. Maybe I am missing something?

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map type inspect http http-inspect-map

description Advanced http inspection

parameters

protocol-violation action drop-connection log

match req-resp content-type mismatch

drop-connection log

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect ipsec-pass-thru

inspect http http-inspect-map

service-policy global_policy global

2 REPLIES

Http inspection dropping all http traffic

Hello Coling,

The thing is that the ASA is going to do  a deep packet inspection for the HTTP traffic, if you do want to know

why the ASA is dropping the packets you will need to take captures on the ASA for that particular traffic and then check the RFC and analize the reason of why the packets are getting dropped.

The configuration is fine, that is why you are getting the drops....The ASA is taking into consideration the layer 7 policy map for the HTTP protocol.

I would not use the inspect HTTP into the ASA as this additional inspection might add some latency problems to the end-users and if I add another security layer as the layer 7 inspection then you will need to make sure the HTTP packets are perfect as with just one violation on the packet this one will get dropped.

Regards,

Julio

Do rate all the helpful posts

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Http inspection dropping all http traffic

Julio:

The funny thing is, when this policy is applied, ALL http traffic is dropped, with a "protocol violation" error. Just opening a page to Google fails.

I wonder if it has something to do with the content-type-mismatch

403
Views
5
Helpful
2
Replies