New parameter "timeout tcp-proxy-reassembly" in ASA 8.2

Answered Question
Sep 30th, 2009

I couldn't find much in the config guide or web site for this. Can someone tell me which situations this would come into play? Here is the CLI help:

"Configure idle timeout after which buffered packets waiting for reassembly in tcp-proxy are dropped"

I have this problem too.
0 votes
Correct Answer by Kureli Sankar about 7 years 3 months ago

5505(config)# timeout tcp-proxy-reassembly ?

configure mode commands/options:

<0:0:10> - <1193:0:0> Idle time after which buffered packets waiting for reassembly in tcp-proxy are dropped, default is 0:01:00

This command was added as a result of this defect CSCsq30162.

The TCP proxy (for inspected traffic) on the security appliance does not have a

timeout to age out segments that are not fully reassembled. As a result of the above defect, we now have a command to age out these segments.

The command reference guide is missing this command. We will take care of that on our end. Thanks for bringing it to our attention.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Kureli Sankar Sat, 10/03/2009 - 17:58

5505(config)# timeout tcp-proxy-reassembly ?

configure mode commands/options:

<0:0:10> - <1193:0:0> Idle time after which buffered packets waiting for reassembly in tcp-proxy are dropped, default is 0:01:00

This command was added as a result of this defect CSCsq30162.

The TCP proxy (for inspected traffic) on the security appliance does not have a

timeout to age out segments that are not fully reassembled. As a result of the above defect, we now have a command to age out these segments.

The command reference guide is missing this command. We will take care of that on our end. Thanks for bringing it to our attention.

emagallo Fri, 06/01/2012 - 04:37

Hi.

I've had a very interesting discussion with a TAC engineer about this command.

The engineer mentions that, with this command, ASA behaves in the following way:

When the ASA receive a fragmented data, it puts the fragments in the buffer to be able to reassemble it and then sent it. When the buffer exceed the limit, the ASA start dropping the reassemble packets so the reason for the packet drop is always the buffer limit exceed . by using the command “tcp-proxy-reassembly”, the ASA wait for an idle time which is determined by this command, the reason why we need this idle time is that the ASA after dropping the fragmented packet still keeps the connection in the conn table open waiting to reassemble the fragments and send it , but this will not happen as the fragment was dropped , so this will keep the connection in the conn table and exhaust the ASA memory by a lot of connections that are not really used.   After dropping the fragment the ASA waits for the timeout specified by the tcp-proxy-reassembly to delete the connection from the connection table.

So in summary the ASA uses this command not to delete the fragment after the timeout , it uses this command to delete the connection after the drop of the fragment (which is caused by the buffer limit) with the time.

So keep in mind when you use it.

Best regards,

Ernesto.

Actions

This Discussion