This document talks about the error message we get on ASA:
%ASA-4-507001: Terminating TCP-Proxy connection from int1:<ip-addr-1>/<src-port> to int2:<ip-addr2>/<dst-port> - reassembly limit of 8192 bytes exceeded
Application inspections cannot reliably inspect application data when such data are segmented by TCP. The problem is especially acute with inspections that filter application data. In such case, a failure to reject these data-packets is a breach of the security function. To overcome this, firewall uses TCP Proxy feature. TCP Proxy allows the ASA/PIX unit to proxy an end-point, hece firewall would ACK the packets on behalf of a end-point. TCP Proxy will reassemble the packets such that application data can be expected even though they were segmented. This feature is closely tied to the TCP Normalization feature.
Now, with this in place, there is some limitation also. There has to be a limit on how many packets can be stored in buffer for inspection. This was previously set to 8Kb which if exceeded generates syslog mentioned above. As this seemed insufficient for some multimedia protocols a bug was filed to increase TCP Proxy maximum buffer for those application inspection engines, however, it was decided to increase the limit to 64kb for all inspection engines.
Please refer to bug: CSCsl15229 for more details on this.
Some customers were seeing similar syslog message even after upgrading to 8.0.4(1)-
%ASA-4-507001: Terminating TCP-Proxy connection from int1:<ip-addr-1>/<srce-port> to int2:<ip-addr2>/1521 - reassembly limit of 65536 bytes exceeded
This time it was exceeding the 64k limit.
A new bug has been filed for this issue: CSCsv62378
i have been asked to list a switch under radius control , some switches are already added under it but im supposed to add any switches that arent , can i simply add the same command to other switches? also the key is made of numbers do i just paste the ke...
In order to use Citrix, I followed the instruction in the URL: https://answers.uillinois.edu/illinois.engineering/page.php?id=81722. I selected '3_Tunnel All' when connecting the VPN. However, the connection failed, and I can no longer acce...
I recently purchased a Cisco ASA-SSM-AIP-20-K9 AIP Security Advanced Services Module from eBay and installed it into my Cisco ASA5540 firewall. It is shown properly, using the "show inv" command. I just need help in figuring out how to install...
Hi,We have a schedule ASA (HA) 5585-X up-gradation scheduled for next week end. Current ASA version is 9.1(6)10, & we are planing to upgrade to 9.8(4) 10 version.Please let me know, if i can directly upgrade to 9.8(4)10 version from current 9.1(6)10, ...