Core issue
This problem usually occurs when inspect http is enabled, and there is a problem with the allowed maximum segment size.
Resolution
To resolve this issue, perform these steps:
- Disable inspect http.
- Issue these commands in the ASA configuration:
(config)# access-list web-out permit tcp any any
(config)# class-map web-out
(config-cmap)# match access-list web-out
(config-cmap)# exit
(config)# tcp-map mss-map
(config-tcp-map)# exceed-mss allow
(config-tcp-map)# exit
(config)# policy-map global_policy
(config-pmap)# class web-out
(config-pmap-c)# set connection advanced-options mss-map
(config-pmap-c)# exit
(config-pmap)# exit
(config)#service-policy global_policy global
(config)# wr
For a detailed description of these commands, refer to Cisco Security Appliance Command Reference, Version 7.2.
Problem Type
Troubleshoot software feature
Product Family
ASA Hardware & Software