Solved: Re: cdt: %FW-4-TCP_OoO_SEG: Dropping TCP Segment:

Adnan Khan · ‎06-14-2022

Jun 14 23:43:29 cdt: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:3837741645 1500 bytes is out-of-order; expected seq:3837627765. Reason: TCP reassembly queue overflow - session x.x.x.x:63150 to y.y.y.y:80

What could be cause this log message keep generating on router 2951 model and configured DMVPN tunnels.

Giuseppe Larosa · ‎06-15-2022

Hello @Adnan Khan ,

>> TCP reassembly queue overflow

>> router 2951 model and configured DMVPN tunnels.

it is acting as a Hub in DMVPN ? or it is a Spoke ?

With standard public internet services over Ethernet with L3 MTU 1500 bytes the IPSEC and GRE overhead causes the devices specially the hub to face the issue of the need to reassembly IP packets containing a TCP segment ( L4 PDU).

if you are in this scenario you need to know the ISR has limited resources to store TCP segments waiting to be re-assembled.

the message says that the device is not able to handle a big flow that is moving a large file.

Hope to help

Giuseppe

View solution in original post

MHM Cisco World · ‎06-15-2022

*DMVPN with IPSec,
try increase the IPSec anti-reply window size

the window can make some packet drop and hence tcp segment is out-of-order

https://www.cisco.com/c/en/us/td/docs/routers/asr920/configuration/guide/sec_vpn/sec-ipsec-xe-3s-book-920/configuring_ipsec_anti_replay_window_expanding_and_disabling.pdf

**

or try increase the Queue of tcp reassembly

ip inspect tcp reassembly queue length 128

ip inspect tcp reassembly timeout 10

View solution in original post

marce1000 · ‎06-14-2022

- Probably a similar bug report : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCti71232 , meaning check current software version on the router , use an advisory release (upgrade) , if applicable , check if that can help.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Giuseppe Larosa · ‎06-15-2022

Hello @Adnan Khan ,

>> TCP reassembly queue overflow

>> router 2951 model and configured DMVPN tunnels.

it is acting as a Hub in DMVPN ? or it is a Spoke ?

With standard public internet services over Ethernet with L3 MTU 1500 bytes the IPSEC and GRE overhead causes the devices specially the hub to face the issue of the need to reassembly IP packets containing a TCP segment ( L4 PDU).

if you are in this scenario you need to know the ISR has limited resources to store TCP segments waiting to be re-assembled.

the message says that the device is not able to handle a big flow that is moving a large file.

Hope to help

Giuseppe

balaji.bandi · ‎06-15-2022

what IOS Code running, how is your config ? do you have zone based Firewall config ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎06-15-2022

*DMVPN with IPSec,
try increase the IPSec anti-reply window size

the window can make some packet drop and hence tcp segment is out-of-order

https://www.cisco.com/c/en/us/td/docs/routers/asr920/configuration/guide/sec_vpn/sec-ipsec-xe-3s-book-920/configuring_ipsec_anti_replay_window_expanding_and_disabling.pdf

**

or try increase the Queue of tcp reassembly

ip inspect tcp reassembly queue length 128

ip inspect tcp reassembly timeout 10