https://community.cisco.com/t5/network-security/http-inspection-dropping-all-http-traffic/m-p/1901967#M437303 <P>I am testing out some inspection options on an ASA 5505, and I am running into a situation in which applying a http inspection is dropping all outbound http traffic. I get a "protocol violation" error in the logs.</P><P></P><P>Here is the setup: I'm not sure why the web traffic is getting dropped. Maybe I am missing something?</P><P></P><P>policy-map type inspect dns preset_dns_map</P><P> parameters</P><P> message-length maximum client auto</P><P> message-length maximum 512</P><P>policy-map type inspect http http-inspect-map</P><P> description Advanced http inspection</P><P> parameters</P><P> protocol-violation action drop-connection log</P><P> match req-resp content-type mismatch</P><P> drop-connection log</P><P>policy-map global_policy</P><P> class inspection_default</P><P> inspect dns preset_dns_map </P><P> inspect ftp </P><P> inspect rsh </P><P> inspect rtsp </P><P> inspect esmtp </P><P> inspect sqlnet </P><P> inspect sunrpc </P><P> inspect xdmcp </P><P> inspect sip </P><P> inspect netbios </P><P> inspect tftp </P><P> inspect ip-options </P><P> inspect ipsec-pass-thru </P><P> inspect http http-inspect-map</P><P></P><P>service-policy global_policy global</P> Mon, 11 Mar 2019 23:05:12 GMT Colin Higgins 2019-03-11T23:05:12Z https://community.cisco.com/t5/network-security/http-inspection-dropping-all-http-traffic/m-p/1901967#M437303 <P>I am testing out some inspection options on an ASA 5505, and I am running into a situation in which applying a http inspection is dropping all outbound http traffic. I get a "protocol violation" error in the logs.</P><P></P><P>Here is the setup: I'm not sure why the web traffic is getting dropped. Maybe I am missing something?</P><P></P><P>policy-map type inspect dns preset_dns_map</P><P> parameters</P><P> message-length maximum client auto</P><P> message-length maximum 512</P><P>policy-map type inspect http http-inspect-map</P><P> description Advanced http inspection</P><P> parameters</P><P> protocol-violation action drop-connection log</P><P> match req-resp content-type mismatch</P><P> drop-connection log</P><P>policy-map global_policy</P><P> class inspection_default</P><P> inspect dns preset_dns_map </P><P> inspect ftp </P><P> inspect rsh </P><P> inspect rtsp </P><P> inspect esmtp </P><P> inspect sqlnet </P><P> inspect sunrpc </P><P> inspect xdmcp </P><P> inspect sip </P><P> inspect netbios </P><P> inspect tftp </P><P> inspect ip-options </P><P> inspect ipsec-pass-thru </P><P> inspect http http-inspect-map</P><P></P><P>service-policy global_policy global</P> Mon, 11 Mar 2019 23:05:12 GMT https://community.cisco.com/t5/network-security/http-inspection-dropping-all-http-traffic/m-p/1901967#M437303 Colin Higgins 2019-03-11T23:05:12Z https://community.cisco.com/t5/network-security/http-inspection-dropping-all-http-traffic/m-p/1901968#M437304 <HTML><HEAD></HEAD><BODY><P>Hello Coling,</P><P></P><P>The thing is that the ASA is going to do&nbsp; a deep packet inspection for the HTTP traffic, if you do want to know</P><P>why the ASA is dropping the packets you will need to take captures on the ASA for that particular traffic and then check the RFC and analize the reason of why the packets are getting dropped.</P><P></P><P>The configuration is fine, that is why you are getting the drops....The ASA is taking into consideration the layer 7 policy map for the HTTP protocol.</P><P></P><P>I would not use the inspect HTTP into the ASA as this additional inspection might add some latency problems to the end-users and if I add another security layer as the layer 7 inspection then you will need to make sure the HTTP packets are perfect as with just one violation on the packet this one will get dropped.</P><P></P><P>Regards,</P><P></P><P>Julio</P><P></P><P>Do rate all the helpful posts</P></BODY></HTML> Thu, 10 May 2012 17:35:10 GMT https://community.cisco.com/t5/network-security/http-inspection-dropping-all-http-traffic/m-p/1901968#M437304 Julio Carvajal 2012-05-10T17:35:10Z https://community.cisco.com/t5/network-security/http-inspection-dropping-all-http-traffic/m-p/1901969#M437305 <HTML><HEAD></HEAD><BODY><P style="padding: 0pt; margin: 0pt;">Julio:</P><P></P><P style="padding: 0pt; margin: 0pt;">The funny thing is, when this policy is applied, ALL http traffic is dropped, with a "protocol violation" error. Just opening a page to Google fails.</P><P></P><P style="padding: 0pt; margin: 0pt;">I wonder if it has something to do with the content-type-mismatch</P></BODY></HTML> Thu, 10 May 2012 21:32:45 GMT https://community.cisco.com/t5/network-security/http-inspection-dropping-all-http-traffic/m-p/1901969#M437305 Colin Higgins 2012-05-10T21:32:45Z