SA520 fragment reassembly problem

Unanswered Question
Jun 14th, 2010

I'm baffled by this one.  I found that the SA520 does not seem to be able to be able to reassemble fragmented packets.  I have 2 sites and I setup a site-to-site IPSEC link.  The problem started that small packets less than 1409 bytes could be transmitted across the link, but not larger ones.  This caused problems and caused me to do more testing.  I found that even when pinging the LAN IP from a local computer, I couldn't ping larger than 1472, which I expect if I set the NoFragment bit.  But if I don't set the NoFragment bit, why can't it reassemble the 2 packets from a 1475 byte ping?

I did a packet trace (from the SA520's UI) and looked at the .CAP file with WireShark.  I see the 2 fragments for each ping request (the first one, and then the 3 extra bytes, totaling 1475 bytes) and then nothing else until exactly 30 seconds later.  At that time I get a ping response of "Type: 11 (Time-to-live exceeded)" with a code of "Code: 1 (Fragment reassembly time exceeded)".

So, it seems that the SA520 doesn't think it got all the packets, or it just refused to put them back together.  I get roughly the same results pinging the SA520 on the other side of the IPSEC link. (which right now is a cable connecting the 2 together in my lab)

This seems like a bug to me, but I can't believe no one else has had any problem like this.  Anyone?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
weilia Mon, 06/28/2010 - 15:22

Hi Grant,

Could you check your PC's MTU setting?


grantscheffert Thu, 07/01/2010 - 22:35

After a couple calls with Cisco support, I found the reason and solution.  In the Firewall -> Attacks configuration page, there is an option for "Block Fragmented Packets" that is checked by default.  It seems that not only does this block regular WAN traffic that is fragmented, but also blocks traffic that is part of any IPSEC VPN tunnel.  Now that I know it, it seems like something I should have found, however, I would have thought that the firewall would not have blocked traffic within the tunnel.

After changing that, all the symptoms I described above went away.  I could ping successfully with any size packet I desired,




This Discussion

Related Content