Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1860
Views
4
Helpful
6
Replies

TCP out-of-order at IPS

Anuar Shahrin
Level 1
Level 1

‎06-17-2014 09:07 PM - edited ‎03-10-2019 06:12 AM

Dear All,

 

We have a setup the IPS 4510 working inline mode with strict inspection turn on. we have detected some latency issue accessing the internal website. So we did some capture at the IPS interface. We found that there's a lot of out-of-order packet and DUP ACK detected by IPS which causing the normalizer engine buffer full and could not handle anymore request. As a work around we put the IPS in asymmetric mode where it turn off the IPS normalizer engine. 

I need some opinion on possibilities why the Out of order and DUP ACK happen. 

We are seeing quite a lot of Out-of-order, DUP ACK and TCP zero window in TCP stream that we captured. 

 

The topology is quite straight forward:

Internet ----WAN ROUTER ----- IPS4510 ----- ASA ----- Web server

There's no redundancy or load balance for the ASA or WANROUTER. 

Im hoping for some opinion and idea on how to tackle this issue.

Thank you very much

Labels:
0 Helpful
6 Replies 6

mhnedirli
Level 1
Level 1

‎06-17-2014 11:12 PM

Hello, 

For which traffic do you have this problem, did you try any other tcp session for same ip and port. Could you share ASA logging for this traffic. generally firewalls block tcp traffic when it gets out of order packets you can listen traffic with wireshark on server site and trace tcp traffic. 

0 Helpful

Anuar Shahrin
Level 1
Level 1
In response to mhnedirli

‎06-17-2014 11:17 PM

Hi,

Thanks for the reply.

Unfortunately Im unable to access the ASA right now. 

We did the capture at the IPS where we are seeing the out-of-order packet. 

You may refer the capture. Unfortunately i could not show the IP. The IP is a public IP which we did the nat at ASA from our internal network. 

 

Basically at the idea of the IP is as below:

2.2.2.2 ---- ASA NAT ------ F5 BIG-IP :192.168.100.100---- Web Accelerator : 192.168.100.20( it has 4 itnerface connected to the server with the same range of IP and Gateway to ASA FW.

Preview file
95 KB
0 Helpful

mhnedirli
Level 1
Level 1
In response to Anuar Shahrin

‎06-17-2014 11:30 PM

Hi, 

Could you check F5 session table, in the middle a device blocking your SYN+ACK packet. 

0 Helpful

Anuar Shahrin
Level 1
Level 1
In response to mhnedirli

‎06-17-2014 11:39 PM

Hi, 

 

the F5 is deployed in one-arm configuration. 

We also suspecting the same. 

 

Is there any problem if we have a 100Mpbs connection between ASA and IPS while others are in 1000Mbps?

0 Helpful

mhnedirli
Level 1
Level 1
In response to Anuar Shahrin

‎06-18-2014 01:28 AM

Hi,

Yes, check the MTU size of devices, maybe IPS site try to send big packet because of MTU size, other device in the network will try to fragment this packet, maybe ASA etc. blocks the fragmented packets. Try to change MSS size  for the TCP traffic. 

Anuar Shahrin
Level 1
Level 1

‎11-18-2014 04:52 PM

Hi

bumping out an old thread since the issue still on going.

I already discussed with TAC regarding the issue and 2 option that she gave

+ asymmetric mode (Which we rejected as permanent solution)

+ Event action filter

I'm currently looking at this solution and plan to implement it in the IPS.

 

I need to consider a few things and also suggestion

+ The signature engine involve is Normalizer engine (specifically sig 1330)

+ is it possible to customize this signature or should we just go for Event action filter?

 

need opinion and pro and cons of this.

 

Thanks a bunch

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card