ASA, IPSec pre-fragmentation

Unanswered Question
Nov 29th, 2007

We have an site-to-site IPSec-VPN with an external company. This company use rdp to manage their server in our LAN. Suddenly rdp did not function. After I choose the feature IPSec Prefragmentation Policy and set the DF Bit Policy from copy to clear it works again good. What does this option do?

I think the problem started with update WINDOWS2003 MS05-19.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Anonymous (not verified) Thu, 12/06/2007 - 14:34

Sometimes larger packets needs to be fragmented before being transmitted. DF(Dont Fragment) option in the ip packet from the client prevents this fragmentation. When you set clear DF bit, ASA automatically clear this DF bit if the size of the packet is larger than the capacity.


This Discussion