What websites are slow when your LAN users are accessing them? It’s common knowledge that some websites, such as banks, online shopping sites, or other special purpose servers that require extra backend processing before responding to a client request.
Not many people know this, bu the CSC SSM has a non-configurable, 90-second timeout between the client request and the server response to prevent transactions from tying up resources on the CSC SSM for too long. This means that transactions that take a longer time to process will fail.
The workaround is to exclude the site from scanning.
For example, for a site on the outside network with the IP address, 220.127.116.11:
access-list 101 remark ### exempt http traffic inspection by CSC SSM to 18.104.22.168 ###
access-list 101 deny tcp any host 22.214.171.124 eq http
access-list 101 remark ### inspection all other traffic ###
access-list 101 permit tcp any eq http
match access-list 101
service-policy my_csc_policy interface inside
Furthermore, you could also perform packet capture;
access-list cap_acl permit tcp any host 126.96.36.199
access-list cap_acl permit tcp host 188.8.131.52 any
capture cap access-list cap_acl interface inside
capture csc_cap interface asa_dataplane OR cplane
P/S: If you think this comment is useful, please do rate them nicely :-)
Ramraj Sivagnanam Sivajanam
Technical Specialist/Service Delivery Manager – Managed Service Department
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :