this message appears on log in our Cisco 7200 few days ago:
Jun 22 09:50:00 eg07.mad3.anter-x.net 508779: Jun 22 09:49:59.053 CEST: %IP_VFR-4-FRAG_TABLE_OVERFLOW: Serial2/1: the fragment table has reached its maximum threshold 16
but my boss wants to know who may be sending the large number of fragments (server, vpn conection, and so), before talk with the client. We know that recently have begun to deploy VoIP. Do you think that may be related?
>> We know that recently have begun to deploy VoIP. Do you think that may be related?
you can exclude VoIP at least for bearer channels RTP packets carrying packetized voice are quite small.
Signalling may use big packets when it needs to download a configuration file in a Voice gateway but keepalives should be small
you should be able to take advantage of an ACL with a line like
permit ip any any fragment log
in order to understand who is sending those fragments the ACL will have other lines to permit other traffic and it may be integrated in current ACL if one is applied inbound to interface ser2/1
you will see messages in router log buffer and eventually exported to syslog
Hope to help