06-14-2022 10:37 PM - last edited on 08-19-2022 02:47 AM by Translator
Jun 14 23:43:29 cdt: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:3837741645 1500 bytes is out-of-order; expected seq:3837627765. Reason: TCP reassembly queue overflow - session x.x.x.x:63150 to y.y.y.y:80
What could be cause this log message keep generating on router 2951 model and configured DMVPN tunnels.
Solved! Go to Solution.
06-15-2022 12:09 AM - edited 06-15-2022 12:11 AM
Hello @Adnan Khan ,
>> TCP reassembly queue overflow
>> router 2951 model and configured DMVPN tunnels.
it is acting as a Hub in DMVPN ? or it is a Spoke ?
With standard public internet services over Ethernet with L3 MTU 1500 bytes the IPSEC and GRE overhead causes the devices specially the hub to face the issue of the need to reassembly IP packets containing a TCP segment ( L4 PDU).
if you are in this scenario you need to know the ISR has limited resources to store TCP segments waiting to be re-assembled.
the message says that the device is not able to handle a big flow that is moving a large file.
Hope to help
Giuseppe
06-15-2022 04:18 AM - last edited on 08-19-2022 02:51 AM by Translator
*DMVPN with IPSec,
try increase the IPSec anti-reply window size
the window can make some packet drop and hence tcp segment is out-of-order
**
or try increase the Queue of tcp reassembly
ip inspect tcp reassembly queue length 128
ip inspect tcp reassembly timeout 10
06-14-2022 11:46 PM
- Probably a similar bug report : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCti71232 , meaning check current software version on the router , use an advisory release (upgrade) , if applicable , check if that can help.
M.
06-15-2022 12:09 AM - edited 06-15-2022 12:11 AM
Hello @Adnan Khan ,
>> TCP reassembly queue overflow
>> router 2951 model and configured DMVPN tunnels.
it is acting as a Hub in DMVPN ? or it is a Spoke ?
With standard public internet services over Ethernet with L3 MTU 1500 bytes the IPSEC and GRE overhead causes the devices specially the hub to face the issue of the need to reassembly IP packets containing a TCP segment ( L4 PDU).
if you are in this scenario you need to know the ISR has limited resources to store TCP segments waiting to be re-assembled.
the message says that the device is not able to handle a big flow that is moving a large file.
Hope to help
Giuseppe
06-15-2022 12:11 AM
what IOS Code running, how is your config ? do you have zone based Firewall config ?
06-15-2022 04:18 AM - last edited on 08-19-2022 02:51 AM by Translator
*DMVPN with IPSec,
try increase the IPSec anti-reply window size
the window can make some packet drop and hence tcp segment is out-of-order
**
or try increase the Queue of tcp reassembly
ip inspect tcp reassembly queue length 128
ip inspect tcp reassembly timeout 10
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide