Netscreens' "Block Fragment Traffic" option blocks ipsec/udp traffic

Unanswered Question
May 30th, 2008
User Badges:

we have a vendor who uses a Netscreen firewall and for security purposes needs to have the "Block Fragment Traffic" option enabled. Yet that option is blocking our ipsec over udp traffic from our ASA5550. I've tried all the possible pre-fragmentation options and our interface MTU is set to 1500.

Strange thing is that we have existing 3k's they can connect to fine through this Netscreen. It's only the new ASA that they cannot connect to. They turned off the Block Fragment Traffic option as a test and were able to login to the ASA without a problem.

Has anyone encountered this issue or know of a workaround? Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
network_team Sun, 06/01/2008 - 06:57
User Badges:

Hi sorry i can not help but i am have the same problem with fragment packets wen connectiong with cisco vpn client through a ceckpoint firewall with smartdefence enabled trying to access cisco VPN concentrator 3000. it connects but the checkpoint drops fragmenet packets. Ceckpoint are saying this is a Cisco fault, but i am yet to gety a fix.


This Discussion