05-10-2012 07:58 AM - edited 03-11-2019 04:05 PM
I am testing out some inspection options on an ASA 5505, and I am running into a situation in which applying a http inspection is dropping all outbound http traffic. I get a "protocol violation" error in the logs.
Here is the setup: I'm not sure why the web traffic is getting dropped. Maybe I am missing something?
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect http http-inspect-map
description Advanced http inspection
parameters
protocol-violation action drop-connection log
match req-resp content-type mismatch
drop-connection log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect ipsec-pass-thru
inspect http http-inspect-map
service-policy global_policy global
05-10-2012 10:35 AM
Hello Coling,
The thing is that the ASA is going to do a deep packet inspection for the HTTP traffic, if you do want to know
why the ASA is dropping the packets you will need to take captures on the ASA for that particular traffic and then check the RFC and analize the reason of why the packets are getting dropped.
The configuration is fine, that is why you are getting the drops....The ASA is taking into consideration the layer 7 policy map for the HTTP protocol.
I would not use the inspect HTTP into the ASA as this additional inspection might add some latency problems to the end-users and if I add another security layer as the layer 7 inspection then you will need to make sure the HTTP packets are perfect as with just one violation on the packet this one will get dropped.
Regards,
Julio
Do rate all the helpful posts
05-10-2012 02:32 PM
Julio:
The funny thing is, when this policy is applied, ALL http traffic is dropped, with a "protocol violation" error. Just opening a page to Google fails.
I wonder if it has something to do with the content-type-mismatch
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide