Guest

Preview Tool

Cisco Bug: CSCuj54639 - ASA drops inspected HTTP when unrelated service-policy is removed

Last Modified

Apr 16, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

8.4(4.1)

Description (partial)

Symptom:
If 2 different interfaces use 2 different policy-maps that each reference the same L7 HTTP inspection policy-map, all HTTP traffic through the first interface will fail if the policy-map used by the 2nd interface is removed. For example:

ciscoasa# sh nameif
Interface                Name                     Security
GigabitEthernet0/1       outside                    0
GigabitEthernet0/2       inside                   100
GigabitEthernet0/3       dmz                        0

policy-map type inspect http l7-http-pm
 parameters
 match request method trace
  reset log
policy-map dmz-policy
 class inspection_default
  inspect http l7-http-pm
policy-map global_policy
 class inspection_default
  inspect http l7-http-pm
!
service-policy global_policy global
service-policy dmz-policy interface dmz

If 'service-policy dmz-policy interface dmz' is removed, all HTTP traffic on the inside interface will fail with the following logs:

%ASA-6-302013: Built outbound TCP connection 72 for outside:192.168.1.40/80 (192.168.1.40/80) to inside:10.1.1.111/1853 (10.1.1.111/1853)
%ASA-4-507003: tcp flow from inside:10.1.1.111/1853 to outside:192.168.1.40/80 terminated by inspection engine, reason - reset unconditionally.
%ASA-6-302014: Teardown TCP connection 72 for outside:192.168.1.40/80 to inside:10.1.1.111/1853 duration 0:00:00 bytes 0 Flow closed by inspection

Conditions:
This issue only occurs when the same L7 policy-map (policy-map type inspect http) is shared amongst multiple interfaces.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.