Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5578
Views
4
Helpful
3
Replies

TCP Out-of-Order Packet support

Go to solution
ROBERTO TACCON
Level 4
Level 4

‎06-02-2009 06:41 AM - edited ‎03-11-2019 08:38 AM

Hi to all,

the Cisco IOS ZONE BASED Firewall support the feature "TCP Out-of-Order Packet support" ?

https://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_out_order_fwall.html#wp1049430

Regards

Roberto Taccon

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
zenon_electronics
Level 1
Level 1
In response to ROBERTO TACCON

‎11-02-2009 01:52 AM

Hi Roberto,

In the new IOS 15.0(M) ZBF already supports out-of-order TCP packets

look here:

http://www.cisco.com/en/US/customer/docs/ios/sec_data_plane/configuration/guide/sec_zone_polcy_firew.html

Regards,

Tihomir Yosifov

View solution in original post

0 Helpful
3 Replies 3

Go to solution
plumbis
Level 7
Level 7

‎06-02-2009 08:47 PM

This should be supported as documented with the "ip inspect tcp reassembly" command but be aware this could cause performance issues with a large number of fragmented packets.

Go to solution
ROBERTO TACCON
Level 4
Level 4
In response to plumbis

‎06-03-2009 07:04 AM

Hi Pete,

thanks for the reply BUT:

1) CAN YOU CONFIRM THAT ON THE LATEST IOS VERSION THE FEATURE IS AVAILABLE / WHICH ONE / ARE THERE ANY DOCS ?

2) as indicated on the docs (for the IOS 12.4T) the Zone-based policy firewall does NOT support IT:

Restrictions for TCP Out-of-Order Packet Support for Cisco IOS Firewall and Cisco IOS IPS:

•The feature is enabled by default. The user must explicitly disable it. To disable TCP out-of-order packet buffering and reassembly, issue the ip inspect tcp reassembly queue length 0 command.

•Zone-based policy firewall is not supported. Only Cisco IOS IPS and Cisco IOS Firewall application inspection can support out-of-order TCP packets.

https://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_out_order_fwall.html#wp1049430

Regards,

Roberto Taccon

0 Helpful

Go to solution
zenon_electronics
Level 1
Level 1
In response to ROBERTO TACCON

‎11-02-2009 01:52 AM

Hi Roberto,

In the new IOS 15.0(M) ZBF already supports out-of-order TCP packets

look here:

http://www.cisco.com/en/US/customer/docs/ios/sec_data_plane/configuration/guide/sec_zone_polcy_firew.html

Regards,

Tihomir Yosifov

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card