Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Downloads from Microsoft licensing site fail on ASA5510

Status
Not open for further replies.
jmkelly

jmkelly

IS-IT--Management
May 14, 2002
25
US
This is a strange problem that seems peculiar to our ASA5510: When we try to download ISO images from we either get nothing or we get a download that fails halfway through. If we use the Java-based Download Manager, we never even connect; if we just use the browser, we get maybe 1.5 GB (of a 3-GB ISO).
I've done packet captures and debug-level syslogs, and the only error we see is HTTP 302, which makes sense because Microsoft passes the download session from one host to another. It's not a fatal error, the session just picks up where it left off. Until it fails completely, of course.
This does not happen with our other firewall, a WatchGuard XTM505, although the configurations are as similar as can be.
I have Cisco support working on it, but they haven't found anything yet.
It seems to be related to traffic load--the only successes we've had (only partial success) have been after hours, when the load is comparatively light.
Whatever's going in must be happening at Layer 4 or higher, since there's no problem routing between the hosts. It seems significant that Download Manager doesn't even begin to work. Any ideas?
 
Sort by date Sort by votes
If you turn off the HTTP inspection feature it will work, but you will lose a good feature on the firewall. I've had this same issue.
 
Upvote 0 Downvote
Interesting. Thanks, I think you're putting me on the right track.
You mean the one under Configuration>Firewall>Service Policy rules? There's not much in there, but I do see a couple of timeouts that could cause failures under high loads, especially if a download process was shifting from server to server. If you set up connections with ten servers one after the other, chances are sooner or later you'll hit one that's too busy to talk to you right away.
Doesn't explain why the Download Manager never gets anywhere, though. Or does it?
 
Upvote 0 Downvote
You could try reducing the MTU and MSS sizing on the WAN port. I suspect https header is being fragmented.

ACSS - SME
General Geek

 
Upvote 0 Downvote
Code: 
show run policy-map global_policy
This command should show you the default application inspection rules. Provided this is the policy your ASA is using, the offending inspection rule would be the http one.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
318
Sameer258
Sameer258
intel233
  • Locked
  • Question
ASA5510 - SSL Cert
Replies
0
Views
233
intel233
intel233
ChrisFairley
  • Locked
  • Question
Downloads failing through ASA 5520
Replies
1
Views
94
iggsterman
iggsterman
ciscokid1984
  • Locked
  • Question
Watchguard RDP from external network
Replies
1
Views
170
hairlessupportmonkey
hairlessupportmonkey
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
98
PauS0n
PauS0n

Part and Inventory Search

Sponsor

Back
Top