cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
634
Views
0
Helpful
3
Replies

Log message on Edge Router-- %APPFW-4-HTTP_STRICT

mahesh18
Level 6
Level 6

Hi Everyone,

We are having issues on our edge router.

Users are having slowness and CPU utilization of edge router is high.

Edge router connects to the internet.

We see these logs again and again on the router

%APPFW-4-HTTP_STRICT_PROTOCOL: Sig:15 HTTP protocol violation detected - HTTP Protocol not detected from 210.x.x.x:35408 to 207.x.x.x:80

Need to know how can i fix this issue?is something wrong with configuration?

Thanks

MAhesh

3 Replies 3

InayathUlla Sharieff
Cisco Employee
Cisco Employee

Hi Mahesh,

Core issue

This problem occurs because the web site is not RFC compliant.

The Cisco IOS  router has the PIX Firewall enabled with the inspect command. The inspection rule has appfw configuration in it, and appfw policy has HTTP application in it. The HTTP application in appfw policy has the strict-http action {reset} command in it.

These logs are observed:

007783: Apr 10 10:08:30.140 PDT: %APPFW-4-HTTP_STRICT_PROTOCOL: Sig:15 HTTP
protocol violation detected - Reset -  HTTP Protocol not detected from
10.123.195.67:1261 to 216.148.229.144:80

Response pages coming from www.yahoo.com and its e-mail sites have a mal-formed, chunked encoding scheme. That violates strict-http rules. In particular, the page has a chunk size followed by three spaces before a \r\n combination that violates the strict-http rules. If the action for this rule is to reset, the connection is reset by the firewall, preventing the pages from loading from www.yahoo.com.

Avoid the re-set action with strict-http if you see some pages failing to load.

Resolution

For a  workaround, either remove the strict-http command or avoid re-setting connections in it, but include the alarm action.

Writing exceptions for strict-http is impractical. However, a note in Security Device Manager (SDM) 2.3 can be written by performing these steps:

  1. Detect non-compliant HTTP traffic.

  2. Check if you want SDM to examine HTTP traffic for packets that do not comply
    with the HTTP protocol.

  3. Use the permit, block, and alarm controls to specify the action that the router takes when this type of traffic is encountered.

    Note: Blocking non-compliant HTTP traffic can cause the router to drop
    traffic from popular websites that might not be blocked on the basis of
    content if those websites do not conform to the HTTP protocol.

To issue the strict-http command through SDM, perform these steps:

  1. Click Configure, and task Firewall and ACL.

  2. Click on the Application Security tab, and click on HTTP.

REf:

https://supportforums.cisco.com/docs/DOC-2368

http://www.technibble.com/forums/showthread.php?t=32272

HTH

Regards

Inayath

*Plz rate all usefull posts

Hi Inayath,

When you say that website is not RFC complaint does this mean this website  with IP  - to 207.x.x.x:80?

Also Router has same logs  that goes from our internal IP  to 207.x.x.x?

Need to know why logs keep on repeating?

Thanks

Mahesh

Hi Inayath,

Also we have this in log

%APPFW-4-HTTP_DEOBFUSCATE: Sig:14 Deobfuscation signature detected -  HTTP deobfuscation detected IDS evasion technique from  XXXXXXXXXto YYYYYYYYY

Where x is IP in our internal network and YYYYY is different IP as compare to previous  log.

Thanks

MAhesh

Review Cisco Networking for a $25 gift card