fragment chain - What is the risk of changing this setting?
I have a PXI 515 connecting to a remote site ASA5510 using IPSec tunnel The remote site has numerous other devices we can telnet to without issue. There is one device at the remote site ha made by AVocent it is a IPKVM. We can telnet and login to the device but when the person tries to load say the help screen or another screen after the login the session just hangs. If we telnet to another device in the remote site we can telnet to the IPKVM without issue from the other device.
Found this error on the corp side firewall PIX515
Dec 11 2006 14:28:54: %PIX-4-209005: Discard IP fragment set with more than 1 elements: src = 192.168.xx.xx, dest = 192.168.xx.xx, proto = tcp, id = 14003
One our corp side PIX515 so the traffic makes it to the corp firewall and it gets dropped due to the fragment set?
Current setting on the PIX 515 is ?fragment chain 1 outside?
So what is the risk of increasing this setting on the corp PIX 515.
Re: fragment chain - What is the risk of changing this setting?
Basically, a PIX allows a large packet to be fragmented in 24 fragments. By default , the fragmentation limit is 24. By the command fragment chain 1 outside, what you have specified is that " do not allow any fragmented packets".
Just do a
no fragment chain 1 outside
This should allow upto 24 fragmented packets on the interface.
You can verify by issuing
Show fragment command.
You will have to disable fragmentation in case you are trying to access NAS servers. Otherwise, having fragemnted packets will not have any risk.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...