Pacotes Cisco ASA 5510 fora de ordem para o Google

2

Estamos vendo um grande número de pacotes sendo descartados devido a estarem fora de ordem. Os números são grandes o suficiente para causar impacto no desempenho da rede.

Isolamos alguns IPs internos e as conexões parecem estar atingindo os servidores do Google no 443. Os dois computadores exibidos no Gist abaixo executam o Chrome e a extensão do Hangouts; o mesmo que todo mundo na empresa. Um é um Mac, um é um PC.

Não estou tentando descobrir o que diabos está acontecendo. Alguém pode me ajudar a lançar alguma luz sobre isso ou o que fazer a seguir?

Gist abaixo, com log :

house200-fw01# sh asp drop

Frame drop:
No route to host (no-route) 56
Flow is denied by configured rule (acl-drop) 1459
First TCP packet not SYN (tcp-not-syn) 37
TCP failed 3 way handshake (tcp-3whs-failed) 351
TCP RST/FIN out of order (tcp-rstfin-ooo) 530
TCP packet SEQ past window (tcp-seq-past-win) 167
TCP Out-of-Order packet buffer full (tcp-buffer-full) 15421
TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout) 1950
TCP RST/SYN in window (tcp-rst-syn-in-win) 2
TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue) 1874
Dropped pending packets in a closed socket (np-socket-closed) 4


- 848: 11:15:37.578903 173.194.46.86.443 > 33.33.33.33.29847
- PAT Global 33.33.33.33(29847) Local 10.55.55.109(52294)

- 827: 11:15:05.322386 207.238.18.142.443 > 33.33.33.33.23232
- PAT Global 33.33.33.33(23232) Local 10.55.55.79(49555)



- capture drop type asp-drop tcp-dup-in-queue buffer 3344556

1: 11:07:38.267442 173.194.57.120.443 > 33.33.33.33.49558: . 195566822:195568202(1380) ack 598914623 win 386
2: 11:07:38.267564 173.194.57.120.443 > 33.33.33.33.49558: . 195570962:195572342(1380) ack 598914623 win 386
3: 11:07:38.267671 173.194.57.120.443 > 33.33.33.33.49558: . 195573722:195575102(1380) ack 598914623 win 386
4: 11:07:38.267793 173.194.57.120.443 > 33.33.33.33.49558: . 195576482:195577862(1380) ack 598914623 win 386
5: 11:07:38.267915 173.194.57.120.443 > 33.33.33.33.49558: . 195577862:195579242(1380) ack 598914623 win 386
6: 11:07:38.268144 173.194.57.120.443 > 33.33.33.33.49558: . 195583382:195584762(1380) ack 598914623 win 386
7: 11:07:38.268250 173.194.57.120.443 > 33.33.33.33.49558: . 195587522:195588902(1380) ack 598914623 win 386
8: 11:07:38.268403 173.194.57.120.443 > 33.33.33.33.49558: . 195590282:195591662(1380) ack 598914623 win 386
9: 11:07:38.268601 173.194.57.120.443 > 33.33.33.33.49558: . 195594422:195595802(1380) ack 598914623 win 386
10: 11:07:38.268723 173.194.57.120.443 > 33.33.33.33.49558: . 195597182:195598562(1380) ack 598914623 win 386
11: 11:07:38.292511 173.194.57.120.443 > 33.33.33.33.49558: . 195599942:195601322(1380) ack 598914623 win 386
12: 11:07:38.292862 173.194.57.120.443 > 33.33.33.33.49558: . 195604082:195605462(1380) ack 598914623 win 386
13: 11:07:38.292984 173.194.57.120.443 > 33.33.33.33.49558: . 195605462:195606842(1380) ack 598914623 win 386
14: 11:07:38.293090 173.194.57.120.443 > 33.33.33.33.49558: . 195606842:195608222(1380) ack 598914623 win 386
15: 11:07:38.293212 173.194.57.120.443 > 33.33.33.33.49558: . 195608222:195609602(1380) ack 598914623 win 386
16: 11:07:38.293335 173.194.57.120.443 > 33.33.33.33.49558: . 195609602:195610982(1380) ack 598914623 win 386
17: 11:07:38.293441 173.194.57.120.443 > 33.33.33.33.49558: . 195610982:195612362(1380) ack 598914623 win 386
18: 11:07:38.293563 173.194.57.120.443 > 33.33.33.33.49558: . 195612362:195613742(1380) ack 598914623 win 386
19: 11:07:38.293685 173.194.57.120.443 > 33.33.33.33.49558: . 195613742:195615122(1380) ack 598914623 win 386
20: 11:07:38.293792 173.194.57.120.443 > 33.33.33.33.49558: . 195615122:195616502(1380) ack 598914623 win 386
21: 11:07:38.293914 173.194.57.120.443 > 33.33.33.33.49558: . 195616502:195617882(1380) ack 598914623 win 386
22: 11:07:38.294494 173.194.57.120.443 > 33.33.33.33.49558: . 195623402:195624782(1380) ack 598914623 win 386
23: 11:07:38.294616 173.194.57.120.443 > 33.33.33.33.49558: . 195624782:195626162(1380) ack 598914623 win 386

- capture drop type asp-drop tcp-buffer-timeout buffer 3344556

1: 11:10:36.636762 173.194.57.120.443 > 33.33.33.33.7417: . 3709341327:3709342707(1380) ack 2239501518 win 556 Drop-reason: (tcp-buffer-timeout) TCP Out-of-Order packet buffer timeout
2: 11:10:36.636884 173.194.57.120.443 > 33.33.33.33.7417: . 3709339947:3709341327(1380) ack 2239501518 win 556
3: 11:10:36.636975 173.194.57.120.443 > 33.33.33.33.7417: . 3709338567:3709339947(1380) ack 2239501518 win 556
4: 11:10:36.637097 173.194.57.120.443 > 33.33.33.33.7417: . 3709337187:3709338567(1380) ack 2239501518 win 556 Drop-reason: (tcp-buffer-timeout) TCP Out-of-Order packet buffer timeout
5: 11:10:36.637219 173.194.57.120.443 > 33.33.33.33.7417: . 3709330287:3709331667(1380) ack 2239501518 win 556 Drop-reason: (tcp-buffer-timeout) TCP Out-of-Order packet buffer timeout
6: 11:10:36.637326 173.194.57.120.443 > 33.33.33.33.7417: . 3709328907:3709330287(1380) ack 2239501518 win 556 Drop-reason: (tcp-buffer-timeout) TCP Out-of-Order packet buffer timeout
7: 11:10:36.637448 173.194.57.120.443 > 33.33.33.33.7417: . 3709327527:3709328907(1380) ack 2239501518 win 556 Drop-reason: (tcp-buffer-timeout) TCP Out-of-Order packet buffer timeout
8: 11:10:36.637570 173.194.57.120.443 > 33.33.33.33.7417: . 3709326147:3709327527(1380) ack 2239501518 win 556 Drop-reason: (tcp-buffer-timeout) TCP Out-of-Order packet buffer timeout
9: 11:10:36.638562 173.194.57.120.443 > 33.33.33.33.7417: . 3709324767:3709326147(1380) ack 2239501518 win 556
10: 11:10:36.638730 173.194.57.120.443 > 33.33.33.33.7417: . 3709323387:3709324767(1380) ack 2239501518 win 556 Drop-reason: (tcp-buffer-timeout) TCP Out-of-Order packet buffer timeout
11: 11:10:36.638837 173.194.57.120.443 > 33.33.33.33.7417: . 3709322007:3709323387(1380) ack 2239501518 win 556 Drop-reason: (tcp-buffer-timeout) TCP Out-of-Order packet buffer timeout
12: 11:10:36.638959 173.194.57.120.443 > 33.33.33.33.7417: . 3709320627:3709322007(1380) ack 2239501518 win 556 Drop-reason: (tcp-buffer-timeout) TCP Out-of-Order packet buffer timeout
13: 11:10:36.727028 173.194.57.120.443 > 33.33.33.33.7417: . 3709559367:3709560747(1380) ack 2239501518 win 556 Drop-reason: (tcp-buffer-timeout) TCP Out-of-Order packet buffer timeout
14: 11:10:36.727150 173.194.57.120.443 > 33.33.33.33.7417: . 3709557987:3709559367(1380) ack 2239501518 win 556 Drop-reason: (tcp-buffer-timeout) TCP Out-of-Order packet buffer timeout
15: 11:10:36.727257 173.194.57.120.443 > 33.33.33.33.7417: . 3709551087:3709552467(1380) ack 2239501518 win 556
    
por VSack 13.06.2014 / 19:23

1 resposta

1

Tivemos o mesmo problema, mas para um protocolo diferente.

Enquanto usava o IOS versão 8.x (não lembrava a versão exata), havia um problema com os Inspects que estragariam a ordem na qual ele retransmitiria os pacotes.

Você tem inspeções HTTP / HTTPS ativadas?

Nesse caso, você pode criar uma ACL e "excluir" uma ou duas máquinas da inspeção apenas para elas apenas para fins de teste.

    
por 13.06.2014 / 19:30