Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco 2911 show log

Hi there,
Under show logs my router 2911 is showing lots of logs like these ones:
****************************************************************
Oct 26 15:20:31.987: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:1663435490 150
0 bytes is out-of-order; expected seq:1663410670. Reason: TCP reassembly queue o
verflow - session 10.10.11.61:49401 to 74.208.125.236:80
Oct 26 15:20:33.971: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:1697625256 150
0 bytes is out-of-order; expected seq:1697600436. Reason: TCP reassembly queue o
verflow - session 10.10.11.61:49402 to 74.208.125.236:80
Oct 26 15:27:14.799: %FW-4-TCP_OoO_SEG: Deleting session as expected TCP segment
with seq:2348714920 has not arrived even after 25 seconds - session 10.10.10.23
6:57329 to 66.220.151.69:80
Oct 26 15:40:45.703: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:3518435753 150
0 bytes is out-of-order; expected seq:3518410933. Reason: TCP reassembly queue o
verflow - session 10.10.11.93:49643 to 74.208.125.236:80
********************************************************
Are these logs fine or do I need to check anything else?
Attached is my show run:

Help plz!

  • LAN Switching and Routing
2 REPLIES
Hall of Fame Super Silver

Re: Cisco 2911 show log

Hello Adnan,

see

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_i3.html#wp1060958

three of the 4 messages are caused by the fact that the router holds fragments of a big TCP PDU and it has no space for others and so it has to drop.

the third one is caused by timer expiration.

>> The max-reassemblies number option and the max-fragments number option allow you to configure maximum threshold values to avoid a buffer overflow attack and to control memory usage.

In addition to configuring the maximum threshold values, each IP  datagram is associated with a managed timer. If the IP datagram does not  receive all of the fragments within the specified time (which can be  configured via the timeout seconds option), the timer will expire and the IP datagram (and all of its fragments) will be dropped.

you could try to increase the max-fragments to see if the frequency of message reduces if these sessions are started from inside (from private IP addresses)

Hope to help

Giuseppe

New Member

Re: Cisco 2911 show log

Hi Quislar:

I have applied this command:

ip inspect tcp reassembly queue length 100

still getting the same logs.  May be I have to wait and see not sure.  Were you referring to any other commands, please let me know and I can try?

Help plz!

3698
Views
0
Helpful
2
Replies
This widget could not be displayed.