Cisco Cisco IOS Software Release 12.4(11)T
TCP Out-of-Order Packet Support for Cisco IOS Firewall and Cisco IOS IPS
ip inspect tcp reassembly
8
Cisco IOS Security Configuration Guide
Usage Guidelines
The queue length Value
The value specified for the queue length is applicable for two queues per session: one queue is for the
initiator traffic and the other queue is for the responder traffic. For example, the default queue size is 16.
Thus, up to 16 packets can be held per queue, so 16 packets per queue results in a maximum of 32 packets
per session.
initiator traffic and the other queue is for the responder traffic. For example, the default queue size is 16.
Thus, up to 16 packets can be held per queue, so 16 packets per queue results in a maximum of 32 packets
per session.
When the maximum queue length value is reached, the packet being switched is dropped unless it is the
packet that will be processed by a firewall or IPS. If the packet is dropped, a syslog message, which
explains why the packet was dropped, will be generated. (To generate syslog messages, you must have
the alarm option set to “on.”)
packet that will be processed by a firewall or IPS. If the packet is dropped, a syslog message, which
explains why the packet was dropped, will be generated. (To generate syslog messages, you must have
the alarm option set to “on.”)
The timeout Value
When a timer expires for the first time, the packets in the queue are not deleted. However, after the retry
timer expires, the session is deleted, a syslog message is generated, and all unprocessed, out-of-order
packets still in the queue are deleted.
timer expires, the session is deleted, a syslog message is generated, and all unprocessed, out-of-order
packets still in the queue are deleted.
The memory limit Value
When the limit for TCP reassembly memory is reached, packets from the reassembly queue of the
current session are released so incoming packets can be accepted. Packets from the end of the queue are
released to ensure that they are farthest away from the hole that is to be filled. However, if the queue is
empty and the maximum memory has been reached, the incoming packet is dropped.
current session are released so incoming packets can be accepted. Packets from the end of the queue are
released to ensure that they are farthest away from the hole that is to be filled. However, if the queue is
empty and the maximum memory has been reached, the incoming packet is dropped.
The alarm Value
If an alarm value is not configured, the value is set to “on,” unless the ip inspect alarm command is
enabled and set to off; thus, syslog messages related to TCP connections will not be generated. However,
if the alarm value for this command is set to “on” and the ip inspect alarm command is set to “off,” the
value of the ip inspect alarm command is ignored and syslog messages are generated.
enabled and set to off; thus, syslog messages related to TCP connections will not be generated. However,
if the alarm value for this command is set to “on” and the ip inspect alarm command is set to “off,” the
value of the ip inspect alarm command is ignored and syslog messages are generated.
The alarm value is independent of and in addition to the syslog messages that can be enabled for a
Cisco IOS Firewall or Cisco IOS IPS.
Cisco IOS Firewall or Cisco IOS IPS.
Examples
The following example shows how to instruct Cisco IOS IPS how to handle out-of-order packets for TCP
connections:
connections:
Router(config)# ip inspect tcp reassembly queue length 18
Router(config)# ip inspect tcp reassembly memory limit 200