cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1575
Views
0
Helpful
1
Replies

A wierd observation - Deny IP teardrop fragment

frankamankwah1
Level 1
Level 1

I need help in trying to make sense of the following. My syslog server is full of the following error: Deny IP teardrop fragment. The source addresses resulting in the error are all from my remote MPLS routers. The traffic involved are either netflows or syslogs all sourced from the MPLS routers. The error message points to issues with traffic sourced from the MPLS routers.As a result of this error, my ASA5520 device's CPU spikes up to 90%. The CPU issue only goes away after I have made the primary LAN firewall standby and the standby Internet firewall active. The WAN traffic has nothing to do with the Internet firewalls. Also, I see traffic hitting the outside interface of the LAN firewall even after I took one of the culprit MPLS routers offline.

Can someone please help explain what is going on? I already know that the issue is related to this code since it appears in the syslogs but then why is it sourcing from my MPLS routers and only impacting syslog and Netflow traffics?

106020

Error Message    %PIX-2-106020: Deny IP teardrop fragment (size = number, offset = 
number) from IP_address to IP_address

Explanation    The firewall discarded an IP packet with a teardrop signature containing either a small  offset or fragment overlapping. This is a hostile event to circumvent the firewall or an Intrusion  Detection System.

Recommended Action    Contact the remote peer administrator or escalate this issue according to your  security policy.


1 Reply 1

Maykol Rojas
Cisco Employee
Cisco Employee

Hi,

Did you opened a case with TAC today? I helped out one of my engineers today to troubleshoot a case like this. Really looks the same.

Anyways, on the engineers case the packet was bouncing around between the router and the ASA, which of coursed caused the High CPU.

Main thing on this cases is to check the routes on the ASA and the router and check if there is a possibility for the packet to be looped between these devices.

If it is a fragmented packet, it would be worst, because, since the packet is fragmented, it means that more and more will come, hence causing a hell on the ASA CPU.

Let me know.

Mike

Mike
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: