fragment chain - What is the risk of changing this setting?

p.mckay · ‎12-14-2006

I have a PXI 515 connecting to a remote site ASA5510 using IPSec tunnel The remote site has numerous other devices we can telnet to without issue. There is one device at the remote site ha made by AVocent it is a IPKVM. We can telnet and login to the device but when the person tries to load say the help screen or another screen after the login the session just hangs. If we telnet to another device in the remote site we can telnet to the IPKVM without issue from the other device.

Found this error on the corp side firewall PIX515

Dec 11 2006 14:28:54: %PIX-4-209005: Discard IP fragment set with more than 1 elements: src = 192.168.xx.xx, dest = 192.168.xx.xx, proto = tcp, id = 14003

One our corp side PIX515 so the traffic makes it to the corp firewall and it gets dropped due to the fragment set?

Current setting on the PIX 515 is ?fragment chain 1 outside?

So what is the risk of increasing this setting on the corp PIX 515.

Low, Medium, High and suggestions.

zubairjalal · ‎12-14-2006

Basically, a PIX allows a large packet to be fragmented in 24 fragments. By default , the fragmentation limit is 24. By the command fragment chain 1 outside, what you have specified is that " do not allow any fragmented packets".

Just do a

no fragment chain 1 outside

This should allow upto 24 fragmented packets on the interface.

You can verify by issuing

Show fragment command.

You will have to disable fragmentation in case you are trying to access NAS servers. Otherwise, having fragemnted packets will not have any risk.

--Pls rate if useful--