Cisco Gurus, halp!
While attempting a rollout today of our ASA5505 we ran into an issue where web pages on NATd public ip addresses aren't viewable!
We have configured around 10 servers that need to be accessed via their public ip over ports 21, 80 and 443. During our testing phase we made sure that we could access a few test servers running a default install of Apache from a public ip address and this worked fine. During our rollout we discovered that about 1/3 of the web servers were accessable from the internet, while 2/3 where not accessible and returned an error when you attempted to connect to them with a web browser.
The error that was being returned was:
HTTP Error 400
Bad Request
Your browser sent a request that this server could not understand.
Request header field is missing ':' separator.
Viewing the logs on the web servers does indeed show a malformed http header in the GET request.
The strange thing about this is that people connected over the the Remote Access VPN can see the (internal ip address) sites just fine, but as soon as they try to browse to the same servers public ip address that the browser shows the error page. We have disabled the default http inspection and IPS inspection to see if that would fix the problem, but it still occurs. I'm completely lost as to what would cause this issue on our ASA.
We had to call off our rollout because of the problem and are investigating as to what may have caused it. It's been a long day, night, and it's going to be a longer day
While attempting a rollout today of our ASA5505 we ran into an issue where web pages on NATd public ip addresses aren't viewable!
We have configured around 10 servers that need to be accessed via their public ip over ports 21, 80 and 443. During our testing phase we made sure that we could access a few test servers running a default install of Apache from a public ip address and this worked fine. During our rollout we discovered that about 1/3 of the web servers were accessable from the internet, while 2/3 where not accessible and returned an error when you attempted to connect to them with a web browser.
The error that was being returned was:
HTTP Error 400
Bad Request
Your browser sent a request that this server could not understand.
Request header field is missing ':' separator.
Viewing the logs on the web servers does indeed show a malformed http header in the GET request.
The strange thing about this is that people connected over the the Remote Access VPN can see the (internal ip address) sites just fine, but as soon as they try to browse to the same servers public ip address that the browser shows the error page. We have disabled the default http inspection and IPS inspection to see if that would fix the problem, but it still occurs. I'm completely lost as to what would cause this issue on our ASA.
We had to call off our rollout because of the problem and are investigating as to what may have caused it. It's been a long day, night, and it's going to be a longer day