Cisco Bug: CSCuj54639 - ASA drops inspected HTTP when unrelated service-policy is removed
Apr 16, 2020
- Cisco ASA 5500-X Series Firewalls
Known Affected Releases
Symptom: If 2 different interfaces use 2 different policy-maps that each reference the same L7 HTTP inspection policy-map, all HTTP traffic through the first interface will fail if the policy-map used by the 2nd interface is removed. For example: ciscoasa# sh nameif Interface Name Security GigabitEthernet0/1 outside 0 GigabitEthernet0/2 inside 100 GigabitEthernet0/3 dmz 0 policy-map type inspect http l7-http-pm parameters match request method trace reset log policy-map dmz-policy class inspection_default inspect http l7-http-pm policy-map global_policy class inspection_default inspect http l7-http-pm ! service-policy global_policy global service-policy dmz-policy interface dmz If 'service-policy dmz-policy interface dmz' is removed, all HTTP traffic on the inside interface will fail with the following logs: %ASA-6-302013: Built outbound TCP connection 72 for outside:192.168.1.40/80 (192.168.1.40/80) to inside:10.1.1.111/1853 (10.1.1.111/1853) %ASA-4-507003: tcp flow from inside:10.1.1.111/1853 to outside:192.168.1.40/80 terminated by inspection engine, reason - reset unconditionally. %ASA-6-302014: Teardown TCP connection 72 for outside:192.168.1.40/80 to inside:10.1.1.111/1853 duration 0:00:00 bytes 0 Flow closed by inspection Conditions: This issue only occurs when the same L7 policy-map (policy-map type inspect http) is shared amongst multiple interfaces.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases