FWSM-4-209003: Fragment database limit of 200 exceeded

Unanswered Question
Sep 25th, 2007

Hi everyone,

I have seen the following message on FWSM 2.3(4).

%FWSM-4-209003: Fragment database limit of 200 exceeded: src = xxx.xxx.xxx.xxx, dest = yyy.yyy.yyy.yyy, proto = tcp, id = 19923

xxx.xxx.xxx.xxx is client

yyy.yyy.yyy.yyy is WEB server

The following is the explanation of this message found out on CCO.

----------

%FWSM-4-209003: Fragment database limit of number exceeded: src = IP_address,dest = IP_address, proto = protocol, id = number

Explanation

Too many IP fragments are currently awaiting reassembly. By default, the maximum number of fragments is 200.

The module limits the number of IP fragments that can be concurrently reassembled. This restriction prevents memory depletion at the module under abnormal network conditions.

----------

The MTU setting on FWSM is;

mtu outside 1500

mtu inside 1500

So I personally understand FWSM does not perform packet assemble/reassemble in the case of inside MTU and outside MTU are same value.

However %FWSM-4-209003 means "By default, the maximum number of fragments is 200. The module limits the number of IP fragments that can be concurrently reassembled.".

I am confusing whether FWSM performs packet reassemble or not even if the inside MTU and outside MTU size are same value (in this case, 1500 bytes).

I understand the "fragment" command on FWSM is to provide Frag Guard/IP fragment protection feature, and it uses fragment database and "fragment size" command configures the size of fragment database.

So I think that "reassemble" on FWSM just means that reassemble packets in the fragment database to inspect packets for Frag Guard and not reassemble real user traffic.

Is my understanding correct ?

Your information would be appreciated.

Regards,

Shinichi

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mattiaseriksson Wed, 09/26/2007 - 06:56

Hi, my understanding is that the FragGuard feature - if enabled - always does virtual reassembly of fragmented IP packets, regardless of the MTU settings. This feature is used to protect against attacks that are using fragmented packets, and not to fragment packets in the case that the local interfaces are of different mtu sizes.

Actions

This Discussion