Re: New parameter "timeout tcp-proxy-reassembly" in ASA 8.2
I've had a very interesting discussion with a TAC engineer about this command.
The engineer mentions that, with this command, ASA behaves in the following way:
When the ASA receive a fragmented data, it puts the fragments in the buffer to be able to reassemble it and then sent it. When the buffer exceed the limit, the ASA start dropping the reassemble packets so the reason for the packet drop is always the buffer limit exceed . by using the command “tcp-proxy-reassembly”, the ASA wait for an idle time which is determined by this command, the reason why we need this idle time is that the ASA after dropping the fragmented packet still keeps the connection in the conn table open waiting to reassemble the fragments and send it , but this will not happen as the fragment was dropped , so this will keep the connection in the conn table and exhaust the ASA memory by a lot of connections that are not really used. After dropping the fragment the ASA waits for the timeout specified by the tcp-proxy-reassembly to delete the connection from the connection table.
So in summary the ASA uses this command not to delete the fragment after the timeout , it uses this command to delete the connection after the drop of the fragment (which is caused by the buffer limit) with the time.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...