[c-nsp] FWSM problems with one website only

Rama Darbha rdarbha at gmail.com
Sat Apr 9 08:52:49 EDT 2011


Arne,

If you're loading a website, it should be using simple HTTP protocol.
If thats the case, where was the connection failing? Was it on the
HTTP GET? You said that "after a while retransmitting the website
sends a reset". What packet was being retransmit?

Additionally, did you verify the captures by comparing the client
captures to the captures on the FWSM? Make sure that no packets are
lost in between and that the FWSM is getting all the packets.

Finally, did you have HTTP inspection enabled on your FWSM? If so, try
disabling that and see if it maybe resolves your issue.

Regards,
Rama

On Fri, Apr 8, 2011 at 10:18 AM, John Kougoulos <koug at intracom.gr> wrote:
>
>
> On Fri, 8 Apr 2011, Arne Larsen  / Region Nordjylland wrote:
>
>> When I did the tracing on the FWSM I could se that it was sending traffic
>> in both direction on the connection and on the wireshark I could se that
>> both ends ended up asking for each other, and after a while retransmitting
>> the website sends a reset.
>
>> Another odd thing that occurs is, when a vpn ipsec user that has accessed
>> our network, is calling the website it normally works fine, not always
>> though.
>>
>
> long shot, but, just in case... The FWSM has limited capabilities of
> handling fragmented packets.
> When you connect through vpn ipsec, the vpn client application sets the mtu
> to 1300 so the problem may disappear.
>
> Hope this gives you a hint.
>
> John
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



More information about the cisco-nsp mailing list