Re: Long URL not allowed by ASA - Page 3

Federico Coto Fajardo · ‎02-04-2010

Hi All,

I am trying to download a file, but I get redirected to a very long URL and I'm wondering if this could be the reason why the ASA is dropping the connection.

If I try to download the file without going through the ASA, it works fine.

The problem is that the url is an https connection, and I don't seem to get an error when I do a Packet Tracer the connection goes fine, but I cannot test the Packet Tracer connection up to the final URL. Same happens with the ASP drop, I don't see the message that tells me why the connection is being blocked.

There is so much traffic that I cannot filter the logs to see what's going on.

I tried a capture but since its HTTPS I don't see any reason.

My question is:

Is it possible that since the URL is too big, the ASA might be blocking it?

I've tried incrementing the size of the DNS replies and the body of the HTTP inspection and that did not help.

Please let me know your comments or suggestions.

Thank you,

Federico.

Erik Ingeberg · ‎02-12-2010

Yes, the only way to turn off inspection completely for certain sites is to define what to avoid with ACL's, so you wouldn't be able to use domain names in that scenario.

You could match the host field in the request header for a particular site that you do not want to inspect (using HTTP inspection) and then have no action as a result of the inspection. This class-map should be at the top of your global policy. Then you can add a second class map (or use inspection default) with the required inspection for the rest of the HTTP traffic.