FWSM versions and MTU

Unanswered Question
May 7th, 2009
User Badges:

Running fwsm v2.3(1) in one environment and v2.3(3) in a separate environment. Are there any difference in how ip unreachables are treated in the versions. We seem to be runnning into mtu fragmentation issues from the later version box. We can put a rule in there but I need to know if the version differences are the cause. The earlier version works fine.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sbilgi Thu, 05/14/2009 - 06:24
User Badges:
  • Silver, 250 points or more

Mtu fragmentation issue may raise due to progression of Denial of service attack. Too many IP fragments are currently awaiting reassembly. By default, the maximum number of fragments is 200. The security appliance limits the number of IP fragments that can be concurrently reassembled. This restriction prevents memory depletion at the security appliance under abnormal network conditions. In general, fragmented traffic should be a small percentage of the total traffic mix. An exception is in a network environment with NFS over UDP where a large percentage is fragmented traffic; if this type of traffic is relayed through the security appliance, consider using NFS over TCP instead. To prevent fragmentation, see the sysopt connection tcpmss bytes command here

http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/s8.html#wp1381654


Actions

This Discussion