Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
501
Views
0
Helpful
2
Replies

inspect http issue - unable to browse secure site.

amitmarathe
Level 1
Level 1

‎01-25-2011 06:28 AM - edited ‎02-21-2020 04:13 AM

Hi,

Current version of the asa firewall is 7.1(2) in which when the inspect http is enabled, while opening secure site like axis bank account or any money market site either blank page display or page can not display error message appear. When i disable this command i am able to access all the secure sites properly. It looks like a bug but in the release not i am not finding any bug related to this issue. Please help me resolve this issue.

Amit M.

0 Helpful
2 Replies 2

m.kafka
Level 4
Level 4

‎01-27-2011 10:05 PM

maybe you should repost this in the section "Firewall"

inspect http does by default nothing to https tcp/443 connections. there must be some other configurations which are different from factory default

0 Helpful

amitmarathe
Level 1
Level 1
In response to m.kafka

‎01-28-2011 04:33 AM

Thanks for the reply. When i disable http inspection and when i try to open login page for some of the site then this page cannot be display appear. Also i try MSS might get exceeded and found in the show asp drop tcp mss is not showing. But still i create a class for mass exceed and apply it in globle configuration but it does not work. Latter i have to disable the http inspection and it started working. Now the question is while clicking on login butten it will go from http to https page during this shifting of http to https why does it affect the connection when enable http inspection.

Following is the show asp drop output.

Please check

PIXFIREWALL# sho asp drop

Frame drop:

  Invalid IP header                                          10

  No route to host                                           13

  Reverse-path verify failed                             398846

  Flow is denied by configured rule                 107075

  Flow denied due to resource limitation          35

  Invalid SPI                                                 2

  First TCP packet not SYN                           62706

  TCP failed 3 way handshake                        1211

  TCP RST/FIN out of order                             39

  TCP packet SEQ past window                      1

  TCP invalid ACK                                          1

  TCP packet buffer full                                    209

  TCP RST/SYN in window                               14

  TCP DUP and has been ACKed                      10411

  TCP packet failed PAWS test                         10

  IPSEC tunnel is down                                     137

  IP option drop                                                551

  Expired flow                                                   26

  ICMP Inspect seq num not matched                1057

  ICMP Error Inspect different embedded conn     60

  DNS Inspect id not matched                            4674

  IPS Module requested drop                              8

  FP L2 rule drop                                               22988

  Interface is down                                             8

Flow drop:

  Flow terminated by IPS                                     16

  NAT failed                                                       13066

  Tunnel being brought up or torn down                514

  Need to start IKE negotiation                            2136

  Inspection failure                                               60

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card