TCP timeout reassmebly = The packets waiting in the buffer for reassmebly are dropped after the default time of 1 minute. you can increase this timer as per your needs using :-

asa(config)#timeout tcp-proxy-reassembly ?

Please post the show logging output with these errors, it could be possible that large packets ( fragmented ) are waiting to be reassembled for a longer period than one minute and are being dropped.

Manish

Hi,

I am using ASA 8.2 and I don't try to adjust tcp-mss.

I have just read that mss range is from 500 to 1460. What is the default value when we don't adjust this parameter ? and What's the correct value I should set according to my problem ?

Thanks.

Hi,

   The default value is 1380. I just want you to try the following command.

!

ASA(config)# sysopt connection tcpmss 1200

!

   You might read the following document already.

   Ref: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml

HTH,

Toshi

Ok I will Try.

However I don't have this Message on the ASDM Logs :

%ASA-4-419001: Dropping TCP packet from outside:192.168.x.x/80 to
inside:192.168.x.x/1025, reason: MSS exceeded, MSS 460, data 1440

So I don't know yet if it is really a MSS problem...

I ve read a document which explain that the tcpmss command forces the size of the TCP segments to a small value during TCP's initialization sequence.

If the problem go on, i should set a lower value than 1200, isn't it ?

What About the  value : exceed-mss allow ? I don't really understand the difference.

Thank you.

Hi,

HTTP inspection is disabled, I changed several TCP parameters as tcpmss, ip fragment,timeout tcp proxy reassemble but it still the same problem and i joined the Logs captured with ASDM.

This the ADSM error log message :

106015: Deny TCP (no connection) from IP_address/port to IP_address/port flags tcp_flags on interface interface_name.
The adaptive security appliance discarded a TCP packet that has no associated connection in the adaptive security appliance connection table. The adaptive security appliance looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the adaptive security appliance discards the packet.

I Don't understand why I can't connect to the camera web interface with Http whereas I can Ping it.

Any Others Ideas ?

Thank you.

Hi,

can I be a bit pedantic and ask if the rules are properly applied. I mean the acl's for the respective ports are applied to the right interface.

Can you telnet to that box using port 80 from those machines? icmp is generally allowed to test L3 reachability.

HTH

Regards,

Kishore

Yes The ACL are Correct. I used Packet Tracert. ICMP,HTTP are allowed

I don't Try Telnet to the Camera using Port 80.

Can you please try to telnet using port 80 and see the logs on the ASA?

just type " telnet 80" from one of your hosts and check wht logs you see on the ASA

Ok but What's the purpose to know the result of this command ?

I'am analysing the frames when it works and when it doesn't work. There is one parameters that change : " Windows Scale ".

192.168.1.121  192.168.4.20  TCP  49741 > http [SYN] Seq=0 win 8192 Len=0 MSS=1460 WS=2

192.168.1.254  192.168.1.121  (ICMP Redirect for Host)

192.168.4.20  192.168.1.121  TCP  http > 49741 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 WS=1

In the Frame Detail :

Windows Scale :2 ( multiply by 4 )

I don't have this parameters in the frame when it doesn't work :

192.168.1.121  192.168.4.20  TCP  l2f  > http [SYN] Seq=0 win 65535 Len=0 MSS=1460

192.168.4.20  192.168.1.121  TCP [TCP Acked Lost Segment] Http > l2f [SYN,ACK] Seq=0 Ack= 1278274611 win=5840 Len=0 MSS=1460

Is it a possibility that  the ASA Block the windows Scale option ?

Thank You.

avb avb,

Did you ever fing a solution?

Thanks,

AA