Cisco Support Community

Web traffic on a router with Cisco IOS version 12.3 is dropped with HTTP inspection configured

What is HTTP inspection?

HTTP Inspect is a generic HTTP decoder for user applications. Given a data buffer, HTTP Inspect will decode the buffer, find HTTP fields, and normalize the fields. HTTP Inspect works on both client requests and server responses.

The current version of HTTP Inspect only handles stateless processing. This means that HTTP Inspect looks for HTTP fields on a packet-by-packet basis, and will be fooled if packets are not reassembled. This works fine when there is another module handling the reassembly, but there are limitations in analyzing the protocol. Future versions will have a stateful processing mode which will hook into various reassembly modules.

HTTP Inspect has a very ``rich'' user configuration. Users can configure individual HTTP servers with a variety of options, which should allow the user to emulate any type of web server. Within HTTP Inspect, there are two areas of configuration: global and server.

Core issue

This problem occurs because the web site is not RFC compliant.

The Cisco IOS  router has the PIX Firewall enabled with the inspect command. The inspection rule has appfw configuration in it, and appfw policy has HTTP application in it. The HTTP application in appfw policy has the strict-http action {reset} command in it.

These logs are observed:

007783: Apr 10 10:08:30.140 PDT: %APPFW-4-HTTP_STRICT_PROTOCOL: Sig:15 HTTP
protocol violation detected - Reset -  HTTP Protocol not detected from to

Response pages coming from and its e-mail sites have a mal-formed, chunked encoding scheme. That violates strict-http rules. In particular, the page has a chunk size followed by three spaces before a \r\n combination that violates the strict-http rules. If the action for this rule is to reset, the connection is reset by the firewall, preventing the pages from loading from

Avoid the re-set action with strict-http if you see some pages failing to load.


For a  workaround, either remove the strict-http command or avoid re-setting connections in it, but include the alarm action.

Writing exceptions for strict-http is impractical. However, a note in Security Device Manager (SDM) 2.3 can be written by performing these steps:

  1. Detect non-compliant HTTP traffic.

  2. Check if you want SDM to examine HTTP traffic for packets that do not comply
    with the HTTP protocol.

  3. Use the permit, block, and alarm controls to specify the action that the router takes when this type of traffic is encountered.

    Note: Blocking non-compliant HTTP traffic can cause the router to drop
    traffic from popular websites that might not be blocked on the basis of
    content if those websites do not conform to the HTTP protocol.

To issue the strict-http command through SDM, perform these steps:

  1. Click Configure, and task Firewall and ACL.

  2. Click on the Application Security tab, and click on HTTP.