Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
351
Views
0
Helpful
1
Replies

FWSM versions and MTU

xayavongp
Level 1
Level 1

‎05-07-2009 01:26 PM - edited ‎03-11-2019 08:28 AM

Running fwsm v2.3(1) in one environment and v2.3(3) in a separate environment. Are there any difference in how ip unreachables are treated in the versions. We seem to be runnning into mtu fragmentation issues from the later version box. We can put a rule in there but I need to know if the version differences are the cause. The earlier version works fine.

Labels:
0 Helpful
1 Reply 1

sbilgi
Level 5
Level 5

‎05-14-2009 06:24 AM

Mtu fragmentation issue may raise due to progression of Denial of service attack. Too many IP fragments are currently awaiting reassembly. By default, the maximum number of fragments is 200. The security appliance limits the number of IP fragments that can be concurrently reassembled. This restriction prevents memory depletion at the security appliance under abnormal network conditions. In general, fragmented traffic should be a small percentage of the total traffic mix. An exception is in a network environment with NFS over UDP where a large percentage is fragmented traffic; if this type of traffic is relayed through the security appliance, consider using NFS over TCP instead. To prevent fragmentation, see the sysopt connection tcpmss bytes command here

http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/s8.html#wp1381654

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card