Solved: Maximum number of unanswered HTTP requests exceeded

remcolamee · ‎06-10-2011

Some http traffic seems to trigger the following syslog messages, generated by the 'inspect http' engine.

ASA-4-415016: policy-map dmz-policy:Maximum number of unanswered HTTP requests exceeded - Resetting connection from dmz01:xx.xx.xx.xx/33309 to prod01:yy.yy.yy.yy/80.

What is the maximum number of unanswered HTTP requests anyway and how can I increase it? I've tried increasing it by setting per-client-embryonic-max to 100 in the policy. However, the connection policy hasn't dropped any packets. Were running 8.2(5) software.

The cisco error message decoder says that the 'protocol-violation action' command should be entered to correct this. I have 'protocol-violation' action set to 'log', so it shouldn't drop or reset anything because of this.

Interface dmz01:

Service-policy: dmz-policy

Class-map: htpp-traffic-class

Set connection policy: conn-max 10000 embryonic-conn-max 1000 per-client-max 250 per-client-embryonic-max 100

current embryonic conns 0, current conns 40, drop 0

Set connection timeout policy:

idle 1:00:00 reset

DCD: disabled, retry-interval 0:00:15, max-retries 5

DCD: client-probe 0, server-probe 0, conn-expiration 0

Inspect: http http-policy, packet 205322, drop 982, reset-drop 982

policy-map type inspect http http-policy

parameters

protocol-violation action log

policy-map dmz-policy

class htpp-traffic-class

set connection conn-max 10000 embryonic-conn-max 1000 per-client-max 250 per-client-embryonic-max 100

set connection timeout idle 1:00:00 reset

inspect http http-policy

Anu M Chacko · ‎06-10-2011

Hi,

The maximum number of unanswered HTTP requests is 10 and cannot be increased.

Regards,

Anu

View solution in original post

Anu M Chacko · ‎06-10-2011

Hi,

The maximum number of unanswered HTTP requests is 10 and cannot be increased.

Regards,

Anu

remcolamee · ‎06-10-2011

So how can I inspect http traffic to my proxyservers and webservers without causing proxy-errors? I'am using http inspection to inspect the traffic from my http proxy server to webservers as well.

Remco

Anu M Chacko · ‎06-10-2011

Hi Remco,

Not sure what you meant by "proxy-errors". If the connections are getting reset even though the action is "log", then you might have to exempt traffic to the servers from HTTP inspection, since more than 10 requests cannot be held. Do give it a try and let me know.

Regards,

Anu

remcolamee · ‎06-11-2011

Thanks for replying Anu,

Let me explain the 'proxy-errors'. The proxyserver is a reverse proxy, protecting the webservers by beeing an application gateway / session terminator. When a http session gets droped / reset by the firewall, the browser reports 'proxy error'.

Browser ---> DMZ Firewall ---> Reverse proxy server ---> Firewall ---> Webservers

However, both firewalls are reporting errors ASA-4-415016 during normal http sessions. I could exempt this traffic from inspection and let the proxy server take care of http protocol inspection. However, this would mean that the cisco http inspection is not up to the job of protecting webservers.

Regards,

Remco