Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
926
Views
0
Helpful
4
Replies

Problem connecting to a website though ASA

CSCO10631105
Level 1
Level 1

‎07-30-2007 08:10 AM - edited ‎03-11-2019 03:51 AM

I have an ASA and connection to the internet. I'm currently having problems with connectivity to a server which dishes out WMP DRM licenses. I read the 'known problem' relating to the MSS but this doesn't seem to be the problem as the values stated in the SYN and SYN-ACK's via an Etheral capture on my laptop look OK. The server responds after the HTTP GET with a HTTP 500 error. I've tried the same site/license HTTP string on my home broadband with a PIX and all works a treat. Any suggestions or next steps? Cheers

Labels:
0 Helpful
4 Replies 4

CSCO10631105
Level 1
Level 1

‎07-31-2007 12:19 AM

Update:

During a succesful conection to the server an Etheral capture shows that the server responded to the HTTP get with a "(TCP previous segment lost), continuation or non HTTP traffic" which contained half of my HTTP web address string. Then a duplictae ACK is sent from the client, then the server responds with a TCP re-transmission of the 'HTTP found' command. This happen EVERY time, I guess this is the source of the problem as the ASA must not like this duplication/retransmission.

Can anyone help!?

Cheers

0 Helpful

CSCO10631105
Level 1
Level 1
In response to CSCO10631105

‎07-31-2007 07:39 AM

Is there anyone who can help?

I've been reading this in the documentation......

Set the maximum number of out-of-order packets that can be queued for a TCP connection:

hostname(config-tcp-map)# queue-limit pkt_num

Where pkt_num specifies the maximum number of out-of-order packets. The range is 0 to 250 and the default is 0

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/protect.html

The default for a PIX OS 6 is 3 - could this be why the ASA is discarding the out of sequence packets?

0 Helpful

jwalker
Level 3
Level 3
In response to CSCO10631105

‎07-31-2007 07:43 AM

You can see if the o-o-o packets are causing your issue by looking at the 'show asp drop' command. There is a counter called Out of order packet buffer full. If this counter increments quickly, you need to increase the number of buffers. Here is an explanation on how to change the buffer size:

1) Define an access-list for interesting traffic:

access-list tcp-queue-limit extended permit tcp any any eq 80

access-list tcp-queue-limit extended permit tcp any eq 80 any

access-list tcp-queue-limit extended permit tcp any any eq 443

access-list tcp-queue-limit extended permit tcp any eq 443 any

This only defines it for port 80 and 443 traffic.

2) Define your tcp-map:

tcp-map queue-limit-map

queue-limit 6

3) Define a class map:

class-map tcp-queue-limit

match access-list tcp-queue-limit

4) now match everything up in your policy map that is/will be applied globally:

policy-map global_policy

class tcp-queue-limit

set connection advanced-options queue-limit-map

Note: this can only be done on an ASA not a PIX

******** Please Rate *****************

Jay

0 Helpful

CSCO10631105
Level 1
Level 1
In response to jwalker

‎07-31-2007 08:15 AM

Cheers but I dont see any TCP errors when I look at the 'sh asp drop' output.

Could it be an MTU issue?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card
Top