After installing a new ASA 5520, I noticed that a few websites were loading very slowly or not at all. The problem seemed to be very intermittent, but reproducible by revisiting the websites at any time of the day. Browsing to the site from outside of the firewall showed the site to be responsive.
I started to watch the live log while browsing to the site and noticed packets being dropped. The log read:
Apparently, this is a new security feature for the 7.0+ code for the ASA. Normally, the client and server send their MSS (Maximum Segment Size) while establishing the TCP connection. Once this occurs, neither the client or server should send a packet larger than their peer’s MSS. However, some HTTP servers do not recognize the MSS and send packets that are too large, and are thus dropped by the ASA.
The workaround for this is to allow the firewall to pass the packets whose data exceeds the MSS. Let’s say the server causing the problems ip is 192.168.10.9. First, create and access-list for any host accessing that server.
And then create a class map.
Create the policy map.
Apply the map to the outside interface.
If there is more than one site, just add the additional sites to the MSS_Exceeded_ACL access list or change it to allow all sites.
For more information about MSS and logging these events, check out the document from Cisco.
No comments:
Post a Comment