Re: Connection problem over vpn - reassembly limit of 8192 bytes

blackswans · ‎11-09-2009

Hi,

I have two locations and these two sites are connected with site-to-site vpn. One site has ASA firewall and other site is checkpoint ADSL. When the checkpoint side tries to reach a server in other side it can ping but the application cannot connect and I see the error in asa logs. What can be the problem ?

Thanks

Terminating TCP-Proxy connection from WAN_ADSL:x.x.x.x to LAN:y.y.y.y - reassembly limit of 8192 bytes exceeded

Teardown TCP-PROXY connection from WAN_ADSL:x.x.x.x to LAN:y.y.y.y duration 0:00:01 bytes 22320 Flow closed by inspection

Panos Kampanakis · ‎11-09-2009

This message is displayed when reassembly buffer limit is exceeded during assembling TCP segments.

What protocol is the app using, what ports? Amybe disabling the corresponding inspection for that protocol would help.

I hope it helps.

PK

blackswans · ‎11-09-2009

It is Oracle and using 1521 tcp.

I disabled sqlnet inspection but it didnt worked. Now I will upgrade the asa image and try again.

Panos Kampanakis · ‎11-10-2009

Yes, slq uses TCP port 1521.

Whate version of ASA are you using?

If you translating the ip address if the sql traffic then it won't work without inspection.

PK

Panos Kampanakis · ‎11-10-2009

Some 8.0 versions had some sql issues that were fixed in later versions.

If this ends up needing troubleshooting please open a case with TAC to look at it.

PK

blackswans · ‎11-10-2009

I solved the problem by upgrading to latest version and removing sql inspection.

cisco24x7 · ‎11-10-2009

I have the following question for Cisco Folks regarding sqlnet inspection.

About 99% of my Pix/ASA firewall deployment that involves sqlnet, I have to disable inspection on the firewall for it to work properly. What is the point of enabling this feature if it is causing nothing but headache.

Thanks. David

Connection problem over vpn - reassembly limit of 8192 bytes exceeded