This document talks about the error message we get on ASA:
%ASA-4-507001: Terminating TCP-Proxy connection from int1:<ip-addr-1>/<src-port> to int2:<ip-addr2>/<dst-port> - reassembly limit of 8192 bytes exceeded
Application inspections cannot reliably inspect application data when such data are segmented by TCP. The problem is especially acute with inspections that filter application data. In such case, a failure to reject these data-packets is a breach of the security function. To overcome this, firewall uses TCP Proxy feature. TCP Proxy allows the ASA/PIX unit to proxy an end-point, hece firewall would ACK the packets on behalf of a end-point. TCP Proxy will reassemble the packets such that application data can be expected even though they were segmented. This feature is closely tied to the TCP Normalization feature.
Now, with this in place, there is some limitation also. There has to be a limit on how many packets can be stored in buffer for inspection. This was previously set to 8Kb which if exceeded generates syslog mentioned above. As this seemed insufficient for some multimedia protocols a bug was filed to increase TCP Proxy maximum buffer for those application inspection engines, however, it was decided to increase the limit to 64kb for all inspection engines.
Please refer to bug: CSCsl15229 for more details on this.
Some customers were seeing similar syslog message even after upgrading to 8.0.4(1)-
%ASA-4-507001: Terminating TCP-Proxy connection from int1:<ip-addr-1>/<srce-port> to int2:<ip-addr2>/1521 - reassembly limit of 65536 bytes exceeded
This time it was exceeding the 64k limit.
A new bug has been filed for this issue: CSCsv62378
I am trying to use create a profile using ISE 2.7 Patch 1, to use common ports that are scanned through NMAP. The devices are linux devices and I want to detect port 22 (SSH). When ISE does the scan, on the device I get all of the attributes with the exce...
Hello, I have setup a test VPN tunnel group with SAML on AzureAD following this guide. https://community.cisco.com/t5/security-documents/anyconnect-azure-ad-saml-sso/ta-p/3810013 In production I've got 2 different tunnel groups. How would I go a...
Hello, I've implemented a wired policy to make a machine authentication, It checks if machine exists inside domain and if it belongs to a specific AD group. It works fine but I've not be able to make it working over a WLAN network. I've copied t...