Problem downloading JAR files after PIX 7.0(1) upgrade

- B
- Brockster
  
  Contact options for registered users
posted
18 years ago

Thu, Jul 28, 2005 2:13 PM

I have upgraded a pair of PIX 535 Firewalls from Version 6.3(4) to

7.0(1) and am now experiencing problems downloading .jar files from some web servers. I have tried disabling the "inspect http" option but still not joy. Have anyone had similar problems.

I have run a capture on both interfaces on the firewalls and the weird thing is that they don't show the same amount of packets to/from the hosts in question. And it looks like the Firewall is almost repsonding on behalf of the client, sending ACKS in response to Pushed data. But on the interface where you would expect to see the data going to the client you don't...

Regards

James

Loading thread data ...

- B
- Brockster
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Fri, Jul 29, 2005 6:28 AM

Problem now solved. Just for your information it was caused by old web servers ignoring the max segment size (mss) negotiations at the start of the TCP connection. When the web servers then sent oversize packets to the client the Firewall drops the packets (ouch). There is a document on the Cisco website that explains what to do. "pix-asa-70-browse.pdf".

Regards

James

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.