HTTP Error Message "message_info: CONNECT command found in HTTP request"

[BarryStiefel]

HTTP Error Message "message_info: CONNECT command found in HTTP request"



This has been observed some times, and there is an SK article (sk20988) about it, but not in the public database.

Here is the receipt to stop the error and let users access the blocked site: The checking for the connect command can be disabled by the following property: asm_http_allow_connect. This is a kernel variable and can therefore neither be changed by dbedit nor by any advanced options of the Global Properties.

Temporary Change



Use the following FW kernel command to change a kernel variable temporarily, until the next reboot: # fw ctl set int asm_http_allow_connect 1To verify the parameter value, issue:

# fw ctl get int asm_http_allow_connectDo go back to the original configuration, issue:

# fw ctl set int asm_http_allow_connect 0

Persistent Change



This means changing a FW kernel variable to survive a reboot.

Solaris



Edit /etc/system file and add the following line at the bottom: set fw:asm_http_allow_connect = 1Windows

1. Open the registry by running regedit from the command line.
2. Go to HKLM\System\CurrentControlSet\Services\FW1\paramet ers
3. Add a new key called "Globals"
4. Under the Globals key add a DWORD parameter called asm_http_allow_connect and set its value to 1.
5. Close the registry

Linux and SecurePlatform?



Edit the $FWDIR/boot/modules/fwkern.conf file. Add the asm_http_allow_connect parameter with the value 1.

IPSO



Use the modzap debugger (get it from the Nokia Knowledge Base) to modify the asm_http_allow_connect kernel parameter as follows: # modzap _asm_http_allow_connect $FWDIR/boot/modules/fwmod.o 1

-- TobiasHaecker - 21 Jan 2004

FAQForm FAQs.Class: ContentSecurityFAQs FAQs.OS: OsSolaris, OsSecurePlatform, OsNokiaIPSO, OsWindows, OsLinux FAQs.Version:

[flawless_cowboy]

This variable is changable in NGX from with the GUI. It is under web intellingece>HTTP methods.

[speculatrix]

this is quite interesting. In the NGX control panel I can see the option, and ours is disabled, and YET we're still seeing the firewall deny the traffic.

I used the command-line tool...

[fw]# fw ctl get int asm_http_allow_connect
asm_http_allow_connect = 0
[fw]# fw ctl set int asm_http_allow_connect 1
[fw]# fw ctl get int asm_http_allow_connect
asm_http_allow_connect = 1

it seems to have helped.

I suspect the problem is that tho' I'm using NGX management the firewall itself is R55 :-(

[speculatrix]

hmm, well, I couldn't find where to put it, we don't have a fwkern.conf on SPLAT-R55, so I created a startup-script instead.