Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

tcp-acked tcp-buffer-timeout inspect http

I am running an ASA with 8.0(2) code and http inspection enabled globally. For just one internet site in particular, it is virtually impossible to pull up a PDF page through a browser. It hangs up about 40% of the way through the 1.1MB download. I cleared the asp drop counters and put together some captures and was able to determine that the traffic is being dropped for one or both of the following reasons:

(1) tcp-acked - TCP DUP and has been ACKed

(2) tcp-buffer-timeout - TCP Out-of-Order packet buffer timeout

Disabling http inspection globally completely resolved the problem. The asp drops ceased and the PDF page would download perfectly. The problem is, however, that http inspection needs to remain enabled globally.

My task now is to disable http inpection for connections to just one website. I have attempted to use:

class-map WEBSITECM

match access-list WEBSITEIP

policy-map type inspect http WEBSITEPM



the above config outputs:

ERROR: Specified class type is different from the policy-map type.

Can someone post a good config under the 8.0(2) code that that will accomplish the goal. Is it possible to disable http inspection for just one ip address while otherwise enabling it globally? Can I turn off asp functionality for just one site in any other way?

Thank You


tcp-acked tcp-buffer-timeout inspect http

That is a policy-map type with a none class-map type, type with type none type with none type

Value our effort and rate the assistance!
CreatePlease to create content