https://community.cisco.com/t5/network-security/out-of-order-tcp-packets/m-p/1749038#M533436 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>The ASA is actually saying there are dups of packets in out-of-order queue. packets arriving out of order for a TCP connection is pretty normal but a lot of out of order packets can affect throughput.</P><P></P><P>On the ASA, do you have inspection for http configured? What about threat-detection? If you bypass the IPs module in it, do you find the throughput satisfactory?</P><P></P><P>Regards,</P><P>Prapanch</P></BODY></HTML> Wed, 31 Aug 2011 19:34:42 GMT praprama 2011-08-31T19:34:42Z https://community.cisco.com/t5/network-security/out-of-order-tcp-packets/m-p/1749035#M533433 <P>hi out there</P><P></P><P>We have been digging a bit in "bad" http throughput at some sites through our ASA 5510/5520'eres - the boxes itself are not that loaded so that we would expect bad througput but some sites load very slow thorugh these boxes and through the "show asp" command I can see that we drop packets in a out of order que (ok - those dropped are dups accoring to the description):</P><P></P><P>gw# sh asp drop frame</P><P>&nbsp; No valid adjacency (no-adjacency)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 3531</P><P>&nbsp; Reverse-path verify failed (rpf-violated)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 47101</P><P>&nbsp; Flow is denied by configured rule (acl-drop)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 505169</P><P>&nbsp; First TCP packet not SYN (tcp-not-syn)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1525</P><P>&nbsp; TCP failed 3 way handshake (tcp-3whs-failed)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 3472</P><P>&nbsp; TCP RST/FIN out of order (tcp-rstfin-ooo)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4952</P><P>&nbsp; TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2</P><P>&nbsp; TCP packet SEQ past window (tcp-seq-past-win)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 131</P><P>&nbsp; TCP RST/SYN in window (tcp-rst-syn-in-win)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 6</P><P>&nbsp; <STRONG>TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 50654</STRONG></P><P>&nbsp; TCP packet failed PAWS test (tcp-paws-fail)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 24</P><P>&nbsp; Slowpath security checks failed (sp-security-failed)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 21401</P><P>&nbsp; FP L2 rule drop (l2_acl)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P></P><P><SPAN lang="EN-US" style="font-family: &amp;quot;Calibri&amp;quot;,&amp;quot;sans-serif&amp;quot;; color: #1f497d; font-size: 11pt; mso-ansi-language: EN-US; mso-fareast-font-family: Calibri; mso-fareast-theme-font: minor-latin; mso-fareast-language: DA; mso-bidi-language: AR-SA;"><SPAN style="font-family: Arial; color: #333333; font-size: 10pt;">We have not defined any tcp-map to handle these our-of-order packets - but how is default behavior of the ASA for packets received a bit out of order? how huge is the default que etc for holding and handling these sessions? Is there a way to debug/log how often</SPAN> http sessions are received out-of-order ?</SPAN></P><P><SPAN lang="EN-US" style="font-family: &amp;quot;Calibri&amp;quot;,&amp;quot;sans-serif&amp;quot;; color: #1f497d; font-size: 11pt; mso-ansi-language: EN-US; mso-fareast-font-family: Calibri; mso-fareast-theme-font: minor-latin; mso-fareast-language: DA; mso-bidi-language: AR-SA;"> </SPAN></P><P><SPAN lang="EN-US" style="font-family: &amp;quot;Calibri&amp;quot;,&amp;quot;sans-serif&amp;quot;; color: #1f497d; font-size: 11pt; mso-ansi-language: EN-US; mso-fareast-font-family: Calibri; mso-fareast-theme-font: minor-latin; mso-fareast-language: DA; mso-bidi-language: AR-SA;">best regards /ti&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></P> Mon, 11 Mar 2019 21:12:23 GMT https://community.cisco.com/t5/network-security/out-of-order-tcp-packets/m-p/1749035#M533433 tiwang 2019-03-11T21:12:23Z https://community.cisco.com/t5/network-security/out-of-order-tcp-packets/m-p/1749036#M533434 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P></P><P>Not a very easy way to, but you can set a capture wide open on the interface and check the out of order packets. By any chance do you have an IPS module? </P><P></P><P>Mike. </P></BODY></HTML> Wed, 17 Aug 2011 18:37:15 GMT https://community.cisco.com/t5/network-security/out-of-order-tcp-packets/m-p/1749036#M533434 Maykol Rojas 2011-08-17T18:37:15Z https://community.cisco.com/t5/network-security/out-of-order-tcp-packets/m-p/1749037#M533435 <HTML><HEAD></HEAD><BODY><P> hi again</P><P>yes we have SSM-20 in these boxes </P></BODY></HTML> Thu, 18 Aug 2011 08:06:35 GMT https://community.cisco.com/t5/network-security/out-of-order-tcp-packets/m-p/1749037#M533435 tiwang 2011-08-18T08:06:35Z https://community.cisco.com/t5/network-security/out-of-order-tcp-packets/m-p/1749038#M533436 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>The ASA is actually saying there are dups of packets in out-of-order queue. packets arriving out of order for a TCP connection is pretty normal but a lot of out of order packets can affect throughput.</P><P></P><P>On the ASA, do you have inspection for http configured? What about threat-detection? If you bypass the IPs module in it, do you find the throughput satisfactory?</P><P></P><P>Regards,</P><P>Prapanch</P></BODY></HTML> Wed, 31 Aug 2011 19:34:42 GMT https://community.cisco.com/t5/network-security/out-of-order-tcp-packets/m-p/1749038#M533436 praprama 2011-08-31T19:34:42Z