This document talks about the error message we get on ASA:
%ASA-4-507001: Terminating TCP-Proxy connection from int1:<ip-addr-1>/<src-port> to int2:<ip-addr2>/<dst-port> - reassembly limit of 8192 bytes exceeded
Application inspections cannot reliably inspect application data when such data are segmented by TCP. The problem is especially acute with inspections that filter application data. In such case, a failure to reject these data-packets is a breach of the security function. To overcome this, firewall uses TCP Proxy feature. TCP Proxy allows the ASA/PIX unit to proxy an end-point, hece firewall would ACK the packets on behalf of a end-point. TCP Proxy will reassemble the packets such that application data can be expected even though they were segmented. This feature is closely tied to the TCP Normalization feature.
Now, with this in place, there is some limitation also. There has to be a limit on how many packets can be stored in buffer for inspection. This was previously set to 8Kb which if exceeded generates syslog mentioned above. As this seemed insufficient for some multimedia protocols a bug was filed to increase TCP Proxy maximum buffer for those application inspection engines, however, it was decided to increase the limit to 64kb for all inspection engines.
Please refer to bug: CSCsl15229 for more details on this.
Some customers were seeing similar syslog message even after upgrading to 8.0.4(1)-
%ASA-4-507001: Terminating TCP-Proxy connection from int1:<ip-addr-1>/<srce-port> to int2:<ip-addr2>/1521 - reassembly limit of 65536 bytes exceeded
This time it was exceeding the 64k limit.
A new bug has been filed for this issue: CSCsv62378
routingHello,For some reason I am not able to each peer's IP, though port channel and their subs are up. Arista [eth5]====[gi4]Cisco CSR ping 10.248.100.5Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.248.100.5, timeout is 2 ...
I have an issue where I am trying to connect a Win10 machine using AnyConnect with Posture module and I am getting a certificate error stating it doesn't trust the cert assigned to my ISE admin node. The client provisioning portal loads (https://fqdn:8443...
unable to connect I am getting the following debug information? SA KE N NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID VID VID VID*May 14 15:17:05.067: IKEv2:(SESSION ID...
I've got ISE-PIC setup for testing. I am seeing active sessions logged after setting a group policy to enable "Audit Kerberos Authentication Service" and "Audit Kerberos Service Ticket Operations" My problem is this only shows users ...
Hi ExpertsWe've ISE 2.6 running and the client is using an Mcafee AV solution and now would like to replace it with the Windows Defender (WD). I've been asked not to change the posture policy to 'Audit' or 'Optional' mode, to enforce the corporate policie...