Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Downloads from Microsoft licensing site fail on ASA5510

Status
Not open for further replies.

jmkelly

IS-IT--Management
May 14, 2002
25
US
This is a strange problem that seems peculiar to our ASA5510: When we try to download ISO images from we either get nothing or we get a download that fails halfway through. If we use the Java-based Download Manager, we never even connect; if we just use the browser, we get maybe 1.5 GB (of a 3-GB ISO).
I've done packet captures and debug-level syslogs, and the only error we see is HTTP 302, which makes sense because Microsoft passes the download session from one host to another. It's not a fatal error, the session just picks up where it left off. Until it fails completely, of course.
This does not happen with our other firewall, a WatchGuard XTM505, although the configurations are as similar as can be.
I have Cisco support working on it, but they haven't found anything yet.
It seems to be related to traffic load--the only successes we've had (only partial success) have been after hours, when the load is comparatively light.
Whatever's going in must be happening at Layer 4 or higher, since there's no problem routing between the hosts. It seems significant that Download Manager doesn't even begin to work. Any ideas?
 
If you turn off the HTTP inspection feature it will work, but you will lose a good feature on the firewall. I've had this same issue.
 
Interesting. Thanks, I think you're putting me on the right track.
You mean the one under Configuration>Firewall>Service Policy rules? There's not much in there, but I do see a couple of timeouts that could cause failures under high loads, especially if a download process was shifting from server to server. If you set up connections with ten servers one after the other, chances are sooner or later you'll hit one that's too busy to talk to you right away.
Doesn't explain why the Download Manager never gets anywhere, though. Or does it?
 
You could try reducing the MTU and MSS sizing on the WAN port. I suspect https header is being fragmented.

ACSS - SME
General Geek

 
Code:
show run policy-map global_policy
This command should show you the default application inspection rules. Provided this is the policy your ASA is using, the offending inspection rule would be the http one.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top