ASA CX - allows traffic through but web page cannot be loaded
I am having this strange issue with the HTTP traffic passing through the firewall. There is no any policies configured on the CX module for web or application filtering however when I reload the CX module or simply put in in "monitor-only" , the traffic is being allowed through the firewall. Also reading the CX events it looks like the traffic is passing through fine. Attaching the screenshot.
The ASA5512-X is runing 9.1.3 software and I am running the tests with the IPSec VPN client as I am not on client's site (all the traffic goes through the FW, no split-tunnel). Once on VPN and accesing a website which initially runs on HTTPS and opens fine, then there are some URLs inside this website and look like they redirect to HTTP and come back to HTTPS (strangly designed portal but needed for production), on the PC I get a security warning of the information not being encrypted. When trying to open one of those URLs and after accpeting the security warning the website looks like keeps loading and loading but nothing happens, and when I disconnect from the VPN this URL opens instaltnly.
On the Wireshark I find this starnge error: [Reassembly error, protocol TCP: New fragment overlaps old data (retransmission?)] and this is sent from my PC IP address, not the server. Attached the conversation betwwen my PC and the web server from Wireshark.
What do you think it maybe happening? I need some guidance on analysis of the packet capture and figure out what config on the FW could be blocking those HTTP requests. I desperate to fix this issues and already having few days trying to resolve it.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...