Connection problem over vpn - reassembly limit of 8192 bytes exceeded

Unanswered Question
Nov 9th, 2009


I have two locations and these two sites are connected with site-to-site vpn. One site has ASA firewall and other site is checkpoint ADSL. When the checkpoint side tries to reach a server in other side it can ping but the application cannot connect and I see the error in asa logs. What can be the problem ?


Terminating TCP-Proxy connection from WAN_ADSL:x.x.x.x to LAN:y.y.y.y - reassembly limit of 8192 bytes exceeded

Teardown TCP-PROXY connection from WAN_ADSL:x.x.x.x to LAN:y.y.y.y duration 0:00:01 bytes 22320 Flow closed by inspection

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Panos Kampanakis Mon, 11/09/2009 - 06:46

This message is displayed when reassembly buffer limit is exceeded during assembling TCP segments.

What protocol is the app using, what ports? Amybe disabling the corresponding inspection for that protocol would help.

I hope it helps.


blackswans Mon, 11/09/2009 - 06:49

It is Oracle and using 1521 tcp.

I disabled sqlnet inspection but it didnt worked. Now I will upgrade the asa image and try again.

Panos Kampanakis Tue, 11/10/2009 - 06:39

Yes, slq uses TCP port 1521.

Whate version of ASA are you using?

If you translating the ip address if the sql traffic then it won't work without inspection.


Panos Kampanakis Tue, 11/10/2009 - 06:40

Some 8.0 versions had some sql issues that were fixed in later versions.

If this ends up needing troubleshooting please open a case with TAC to look at it.


blackswans Tue, 11/10/2009 - 06:58

I solved the problem by upgrading to latest version and removing sql inspection.

cisco24x7 Tue, 11/10/2009 - 09:27

I have the following question for Cisco Folks regarding sqlnet inspection.

About 99% of my Pix/ASA firewall deployment that involves sqlnet, I have to disable inspection on the firewall for it to work properly. What is the point of enabling this feature if it is causing nothing but headache.

Thanks. David


This Discussion