How to mitigate an abnormal increase in "tcp_exceed_seg_limit" global counter

How to mitigate an abnormal increase in "tcp_exceed_seg_limit" global counter

18333
Created On 07/25/23 18:21 PM - Last Modified 07/02/25 00:41 AM


Objective


To mitigate an abnormal increase in tcp_exceed_seg_limit global counter.

Counter's description:
This counter tcp_exceed_seg_limit increments when out-of-order queue size is reached because the number of out-of-order TCP segments waiting to get in order for them to be processed by the firewall's content inspection has reached the firewall's capacity limit. 

Environment


  • Next Generation Firewall
  • DP packet drop
  • tcp_exceed_seg_limit

Procedure


  1. Make sure that the segments for the same session or flow traverse the network and consequently the firewall using the same path.
    1. On the network level: Avoid any per-packet load-sharing (a.k.a. "round robin" load-sharing) mechanism, and prefer per session or per flow load-sharing mechanism.
    2. On the transmitting source:
      1. Check if the transmitting device's NIC has any offloading mechanism. If so, disable the offload mechanism.
      2. Review the load-sharing mechanism if transmission over multi links.
    3. Check if the network has any device that is using layer-2 retransmission protocol that compensates for an error-prone link as this can cause packet reordering.
    4. Check if you have a device in your network in which for any reason the received packets are buffered then not sent in the order of their arrival, since that can cause the packets order to change.
  2. There is a setting on the firewall that enables the option to bypass content inspection if the out-of-order segments' queue size is reached:
    1. Check that setting using CLI command: 
       > show running tcp state

session with asymmetric path            : drop packet
Bypass if OO queue limit is reached     : no    <<<
Favor new seg data                      : no
Urgent data                             : clear
Drop if zero after clear urgent flag    : yes
Check Timestamp option                  : yes
Allow Challenge Ack                     : no
Remove MPTCP option                     : yes
    2. You can enable that setting (it is disabled by default) using CLI commands: 
      > configure
# set deviceconfig setting tcp bypass-exceed-oo-queue yes
# commit

      # show deviceconfig setting tcp
      tcp {
        bypass-exceed-oo-queue yes;
      }
      1. "yes" means that the counter tcp_exceed_seg_limit will still increment, but segments in the queue will be forwarded. Segments which would be dropped by default (no option), will bypass the content scan when the out of order queue is full; this would jeopardize the security of the endpoints use this option only if the endpoints are protected using other mechanisms.
      2. "no" means that if the out-of-order segments' queue size limit is reached then any additional out-of-order segment received will be dropped. The counter tcp_exceed_seg_limit will increment for any additional out-of-order segment. These drops can impact user experience and cause slow TCP connection due to the packet retransmission.


 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000bqa6CAA&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language