Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4695
Views
0
Helpful
2
Replies

Cisco 2911 show log

amanzoorfern
Level 1
Level 1

‎10-26-2010 12:08 PM - edited ‎03-06-2019 01:44 PM

Hi there,
Under show logs my router 2911 is showing lots of logs like these ones:
****************************************************************
Oct 26 15:20:31.987: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:1663435490 150
0 bytes is out-of-order; expected seq:1663410670. Reason: TCP reassembly queue o
verflow - session 10.10.11.61:49401 to 74.208.125.236:80
Oct 26 15:20:33.971: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:1697625256 150
0 bytes is out-of-order; expected seq:1697600436. Reason: TCP reassembly queue o
verflow - session 10.10.11.61:49402 to 74.208.125.236:80
Oct 26 15:27:14.799: %FW-4-TCP_OoO_SEG: Deleting session as expected TCP segment
with seq:2348714920 has not arrived even after 25 seconds - session 10.10.10.23
6:57329 to 66.220.151.69:80
Oct 26 15:40:45.703: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:3518435753 150
0 bytes is out-of-order; expected seq:3518410933. Reason: TCP reassembly queue o
verflow - session 10.10.11.93:49643 to 74.208.125.236:80
********************************************************
Are these logs fine or do I need to check anything else?
Attached is my show run:

Help plz!

Labels:
74141-expertaccesslist.txt.zip
0 Helpful
2 Replies 2

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎10-26-2010 01:39 PM

Hello Adnan,

see

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_i3.html#wp1060958

three of the 4 messages are caused by the fact that the router holds fragments of a big TCP PDU and it has no space for others and so it has to drop.

the third one is caused by timer expiration.

>> The max-reassemblies number option and the max-fragments number option allow you to configure maximum threshold values to avoid a buffer overflow attack and to control memory usage.

In addition to configuring the maximum threshold values, each IP  datagram is associated with a managed timer. If the IP datagram does not  receive all of the fragments within the specified time (which can be  configured via the timeout seconds option), the timer will expire and the IP datagram (and all of its fragments) will be dropped.

you could try to increase the max-fragments to see if the frequency of message reduces if these sessions are started from inside (from private IP addresses)

Hope to help

Giuseppe

0 Helpful

amanzoorfern
Level 1
Level 1
In response to Giuseppe Larosa

‎10-27-2010 10:44 AM

Hi Quislar:

I have applied this command:

ip inspect tcp reassembly queue length 100

still getting the same logs.  May be I have to wait and see not sure.  Were you referring to any other commands, please let me know and I can try?

Help plz!

0 Helpful
Customers Also Viewed These Support Documents