Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

FWSM versions and MTU

Running fwsm v2.3(1) in one environment and v2.3(3) in a separate environment. Are there any difference in how ip unreachables are treated in the versions. We seem to be runnning into mtu fragmentation issues from the later version box. We can put a rule in there but I need to know if the version differences are the cause. The earlier version works fine.


Re: FWSM versions and MTU

Mtu fragmentation issue may raise due to progression of Denial of service attack. Too many IP fragments are currently awaiting reassembly. By default, the maximum number of fragments is 200. The security appliance limits the number of IP fragments that can be concurrently reassembled. This restriction prevents memory depletion at the security appliance under abnormal network conditions. In general, fragmented traffic should be a small percentage of the total traffic mix. An exception is in a network environment with NFS over UDP where a large percentage is fragmented traffic; if this type of traffic is relayed through the security appliance, consider using NFS over TCP instead. To prevent fragmentation, see the sysopt connection tcpmss bytes command here

CreatePlease login to create content