Re: ASA 5510 issues with websites

croager · ‎09-19-2007

I have recently consolidated my infrastructure and moved a few websites from DataCenter1 to DataCenter2. DC1 was running a PIX 515 with 6.3.x IOS. DC2 was running an ASA 5510 with 7.0.4 IOS and has been for 18 months.

The websites that were moved from DC1 to DC2 have stopped functioning as designed. 10 of 500 people can no longer user the site. At first we had the ASA 5510 running 7.0.4 and these 10 users could not log into the site. When they tried to log into the site the site would take their credentials, authenticate them, create a session and sent the cookie. But the browser would just hang and not load the new page.

We then upgraded the ASA from 7.0.4 to 7.2.x. Now they can log in, but when they go to use some of the forms on the site they can fill in the data, but when they post the data it will just hang. Again the site is accepting the data, but it is like the post back it never received by the client.

we have turned off Inspect HTTP but that does not seem to make a difference.

To test a theory we grabbed another PIX 515 running 6.3.x and swapped it with the ASA at DC2. All sites work fine. As soon as I put the ASA back in I get the above scenario.

Any help or direction would be appreciated.

amritpatek · ‎09-25-2007

This problem may appear if the packets are getting dropped because of the TCP length exceeding the MSS. The workaround for this consists in allowing those packets in the policy. you may either want to enable for any type of traffic, or for specific traffic only. Here is the configuration lines to disable it globally:

tcp-map mss-map

exceed-mss allow

policy-map global_policy

class inspection_default

set connection advanced-options mss-map