×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA 5585X in L2 trans. mode drops (ASP) fragm. IPv4 UDP multicast

Unanswered Question
Nov 19th, 2013
User Badges:

Hello Community,



it seems there are problems with dropped fragmented IPv4 UDP Multicast traffice on an ASA 5585X platform running ver. 8.4(6)5. The following sample topology has been used for the verification scenario:



MC src and rcv

(XChariot)

|

-----C4503---------------ASA5585X-L2mode-----------IPSEC-Appl.------WAN----------Remote Site with (S,G) (10.10.4.156,225.1.2.154) (XChariot)

|

MC src and rcv

(XChariot)


Test 1  (S,G) (10.10.4.156,225.1.2.154) sends UDP with a UDP length of 1341


(Trace "WAN-IF_capture_225.1.2.154_no-frag" and

output "L2FW-not_fragmented"


The traffic passes through the Transparent mode ASA without any problems.


Test2 (S,G) (10.10.4.156,225.1.2.154) sends UDP with a UDP length of 3441 resulting in fragmentation.


This traffic and unfortunately it is the same for the real application is drop by the ASA. The two ASP drops counters for "

Dst MAC L2 Lookup Failed" and "invalid-udp-length" are increasing in a realtion of  3(DstMAC):1(invalid udp).


The file"L2FW-frag_IPv4_UDP_MC_ASPdrops" shows first the capture on the WAN and then the captures on the ASP drops. In addition the three traces in pcap format.


Any idea?


Thank you in advance for you contribution.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
h.groeger Wed, 12/04/2013 - 10:33
User Badges:

Hello Community,


the following combination solved our problem for now, upgrade to ASA OS 9.1.3 (asa913-2-smp-k8.bin) and the change from virtual reassembly (default) to hardware reassembly -> global-cfg -> fragment reassembly full [interface].


http://www.cisco.com/en/US/docs/security/asa/command-reference/f2.html#wp2019322


Perhaps further test will be made with using lower interim versions.

Actions

This Discussion

Related Content