06-10-2011 05:46 AM - edited 03-11-2019 01:43 PM
Some http traffic seems to trigger the following syslog messages, generated by the 'inspect http' engine.
ASA-4-415016: policy-map dmz-policy:Maximum number of unanswered HTTP requests exceeded - Resetting connection from dmz01:xx.xx.xx.xx/33309 to prod01:yy.yy.yy.yy/80.
What is the maximum number of unanswered HTTP requests anyway and how can I increase it? I've tried increasing it by setting per-client-embryonic-max to 100 in the policy. However, the connection policy hasn't dropped any packets. Were running 8.2(5) software.
The cisco error message decoder says that the 'protocol-violation action' command should be entered to correct this. I have 'protocol-violation' action set to 'log', so it shouldn't drop or reset anything because of this.
Interface dmz01:
Service-policy: dmz-policy
Class-map: htpp-traffic-class
Set connection policy: conn-max 10000 embryonic-conn-max 1000 per-client-max 250 per-client-embryonic-max 100
current embryonic conns 0, current conns 40, drop 0
Set connection timeout policy:
idle 1:00:00 reset
DCD: disabled, retry-interval 0:00:15, max-retries 5
DCD: client-probe 0, server-probe 0, conn-expiration 0
Inspect: http http-policy, packet 205322, drop 982, reset-drop 982
policy-map type inspect http http-policy
parameters
protocol-violation action log
policy-map dmz-policy
class htpp-traffic-class
set connection conn-max 10000 embryonic-conn-max 1000 per-client-max 250 per-client-embryonic-max 100
set connection timeout idle 1:00:00 reset
inspect http http-policy
Solved! Go to Solution.
06-10-2011 06:31 AM
Hi,
The maximum number of unanswered HTTP requests is 10 and cannot be increased.
Regards,
Anu
06-10-2011 06:31 AM
Hi,
The maximum number of unanswered HTTP requests is 10 and cannot be increased.
Regards,
Anu
06-10-2011 07:15 AM
So how can I inspect http traffic to my proxyservers and webservers without causing proxy-errors? I'am using http inspection to inspect the traffic from my http proxy server to webservers as well.
Remco
06-10-2011 08:41 AM
Hi Remco,
Not sure what you meant by "proxy-errors". If the connections are getting reset even though the action is "log", then you might have to exempt traffic to the servers from HTTP inspection, since more than 10 requests cannot be held. Do give it a try and let me know.
Regards,
Anu
06-11-2011 10:31 PM
Thanks for replying Anu,
Let me explain the 'proxy-errors'. The proxyserver is a reverse proxy, protecting the webservers by beeing an application gateway / session terminator. When a http session gets droped / reset by the firewall, the browser reports 'proxy error'.
Browser ---> DMZ Firewall ---> Reverse proxy server ---> Firewall ---> Webservers
However, both firewalls are reporting errors ASA-4-415016 during normal http sessions. I could exempt this traffic from inspection and let the proxy server take care of http protocol inspection. However, this would mean that the cisco http inspection is not up to the job of protecting webservers.
Regards,
Remco
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide