FWSM-4-209003: Fragment database limit of 200 exceeded

Unanswered Question
Sep 25th, 2007
User Badges:
  • Bronze, 100 points or more

Hi everyone,


I have seen the following message on FWSM 2.3(4).


%FWSM-4-209003: Fragment database limit of 200 exceeded: src = xxx.xxx.xxx.xxx, dest = yyy.yyy.yyy.yyy, proto = tcp, id = 19923


xxx.xxx.xxx.xxx is client

yyy.yyy.yyy.yyy is WEB server


The following is the explanation of this message found out on CCO.


----------

%FWSM-4-209003: Fragment database limit of number exceeded: src = IP_address,dest = IP_address, proto = protocol, id = number


Explanation

Too many IP fragments are currently awaiting reassembly. By default, the maximum number of fragments is 200.

The module limits the number of IP fragments that can be concurrently reassembled. This restriction prevents memory depletion at the module under abnormal network conditions.

----------


The MTU setting on FWSM is;


mtu outside 1500

mtu inside 1500


So I personally understand FWSM does not perform packet assemble/reassemble in the case of inside MTU and outside MTU are same value.


However %FWSM-4-209003 means "By default, the maximum number of fragments is 200. The module limits the number of IP fragments that can be concurrently reassembled.".


I am confusing whether FWSM performs packet reassemble or not even if the inside MTU and outside MTU size are same value (in this case, 1500 bytes).


I understand the "fragment" command on FWSM is to provide Frag Guard/IP fragment protection feature, and it uses fragment database and "fragment size" command configures the size of fragment database.


So I think that "reassemble" on FWSM just means that reassemble packets in the fragment database to inspect packets for Frag Guard and not reassemble real user traffic.


Is my understanding correct ?


Your information would be appreciated.


Regards,


Shinichi

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mattiaseriksson Wed, 09/26/2007 - 06:56
User Badges:
  • Bronze, 100 points or more

Hi, my understanding is that the FragGuard feature - if enabled - always does virtual reassembly of fragmented IP packets, regardless of the MTU settings. This feature is used to protect against attacks that are using fragmented packets, and not to fragment packets in the case that the local interfaces are of different mtu sizes.

Actions

This Discussion