04-19-2007 07:05 AM - edited 03-11-2019 03:01 AM
Hello, I have an issue with a newly configured ASA firewall (running v7).
From a client machine (using the ASA as the default gateway) I can download files from sites that use FTP but not from sites that use http. However, if I use Firefox (rather than Internet Explorer) I can download from FTP and HTTP without issue. General browsing works fine in all scenarios.
If I enter our proxy server details into Internet Explorer - downloading is fine also. I want to move away from this config though as the ISA proxy server is in the process of being decomissioned.
Please help
04-22-2007 02:54 AM
hello,
if you can post your config it will help solving your issue quickly.
04-23-2007 02:43 AM
04-23-2007 03:06 AM
have you tried putting the inspect on http traffic
04-23-2007 04:10 AM
Thanks for the reply. I've added the 'inspect http' command to the global policy but alas it's made no difference.
04-24-2007 12:58 AM
it seems to me that you are facing a problem with the tcp MSS, I think that your asa is dropping packets that exceed the mss advertized on the handshake phase, you can add the follwoing code to solve it:
access-list http-list permit tcp any host server_ip eq 80
class-map http
match access-list http-list
tcp-map tmap
exceed-mss allow
policy-map global_policy
class http
set connection advanced-options tmap
04-24-2007 01:28 AM
I'm afraid that makes no difference either (just hangs on the 'file download' box)
04-30-2007 12:35 AM
Any more takers? I can't turn off ISA until I have a resolution to this. Thanks.
04-30-2007 06:33 AM
More info - it actually seems to be related to certain sites rather than protocols i.e. I can download from HP and Dell websites but not Microsoft (though automatic updates is working)
05-01-2007 11:41 PM
Even more info. We use websense to filter URLs and turning off the filtering enables downloading without issue. I'll need to do a bit more digging into why this is.
05-02-2007 12:18 PM
We ran into this, too; it appears to be a bug with the Websense integration in earlier 7.x releases. Upgrading from 7.1(2) to 7.2(2) fixed it for us.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide