Showing results for 
Search instead for 
Did you mean: 

ASA: Terminating TCP-Proxy connection from xxxx: reassembly limit of 8192 bytes exceeded




This document talks about the error message we get on ASA:


%ASA-4-507001: Terminating TCP-Proxy connection from  int1:<ip-addr-1>/<src-port> to int2:<ip-addr2>/<dst-port> -  reassembly limit of 8192 bytes exceeded



Application inspections cannot reliably inspect application data when such data are segmented by TCP. The problem is especially acute with inspections that filter application data. In such case, a failure to reject these data-packets is a breach of the security function. To overcome this, firewall uses TCP Proxy feature. TCP Proxy allows the ASA/PIX unit to proxy an end-point, hece firewall would ACK the packets on behalf of a end-point. TCP Proxy will reassemble the packets such that application data can be expected even though they were segmented. This feature is closely tied to the TCP Normalization feature.


Now, with this in place, there is some limitation also. There has to be a limit on how many packets can be stored in buffer for inspection. This was previously set to 8Kb which if exceeded generates syslog mentioned above. As this seemed insufficient for some multimedia protocols a bug was filed to increase TCP Proxy maximum buffer for those application inspection engines, however, it was decided to increase the limit to 64kb for all inspection engines.


Please refer to bug: CSCsl15229 for more details on this.


Some customers were seeing similar syslog message even after upgrading to 8.0.4(1)-


%ASA-4-507001: Terminating TCP-Proxy connection from int1:<ip-addr-1>/<srce-port> to int2:<ip-addr2>/1521 - reassembly limit of 65536 bytes exceeded


This time it was exceeding the 64k limit.


A new bug has been filed for this issue: CSCsv62378



Bugs: CSCsl15229 and CSCsv62378

Content for Community-Ad