cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
789
Views
5
Helpful
2
Replies

Http inspection dropping all http traffic

Colin Higgins
Level 2
Level 2

I am testing out some inspection options on an ASA 5505, and I am running into a situation in which applying a http inspection is dropping all outbound http traffic. I get a "protocol violation" error in the logs.

Here is the setup: I'm not sure why the web traffic is getting dropped. Maybe I am missing something?

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map type inspect http http-inspect-map

description Advanced http inspection

parameters

protocol-violation action drop-connection log

match req-resp content-type mismatch

drop-connection log

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect ipsec-pass-thru

inspect http http-inspect-map

service-policy global_policy global

2 Replies 2

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Coling,

The thing is that the ASA is going to do  a deep packet inspection for the HTTP traffic, if you do want to know

why the ASA is dropping the packets you will need to take captures on the ASA for that particular traffic and then check the RFC and analize the reason of why the packets are getting dropped.

The configuration is fine, that is why you are getting the drops....The ASA is taking into consideration the layer 7 policy map for the HTTP protocol.

I would not use the inspect HTTP into the ASA as this additional inspection might add some latency problems to the end-users and if I add another security layer as the layer 7 inspection then you will need to make sure the HTTP packets are perfect as with just one violation on the packet this one will get dropped.

Regards,

Julio

Do rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio:

The funny thing is, when this policy is applied, ALL http traffic is dropped, with a "protocol violation" error. Just opening a page to Google fails.

I wonder if it has something to do with the content-type-mismatch

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: