I ran into an issue where our firewall was dropping a lot of packets both through and to it. The output of 'show asp drop' showed that the amount of drops for TCP Out-of-Order packet buffer full (tcp-buffer-full) and TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout) were an order of magnitude greater than drops for any other cause. I failed over to the secondary firewall, and the network traffic seemed to stabilize. After a while, I did 'show asp drop' on the secondary (now active) firewall and didn't notice any packets dropped for those reasons.
What might be the reasons why the TCP out-of-order packet buffer would fill up?
Is there a way to increase the size of the packet buffer?
Are there any show commands or monitoring techniques (syslog, trap, snmp polling), that would show the status of the buffer or help to troubleshoot it?
When we said the word “hybrid” in the past, it usually recalled the image of a new variety of plant or maybe an electric car. These days, it applies to the workplace too.
The future of work isn’t “changing” to a h...
Thanks for attending our Ask the Experts (ATXs) session! Here’s the post-session resources for easy reference.
New to ATXs? An ATXs session, offered at no cost, is an hour of real-time learning led by Cisco experts, who will answer your technology q...
Cisco Secure Endpoint
New packages fit for every organization
Every Cisco Secure Endpoint (formerly AMP for Endpoints) package comes with Cisco SecureX built-in. It’s our cloud-native platform that integrates all your security solutions into one view wit...
Our Cisco experts and guests chat about how the integration of Cisco Secure Firewall + Secure Workload is securely accelerating application delivery by allowing NetOps to start running at DevOps speed, and what that means for business success.