Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

What does this log message mean?

I am having trouble with RDP through my LAN-to-LAN tunnel and I keep reciving the below message in my log. Do you have any idea what could cause this message and how to fix it?

209005: Discard IP fragment set with more than 1 elements: src = 196.12.47.50, dest = 174.18.22.22, proto = esp, id = 39374

Please note that I have changed the public IPs. The first IP in the log represents the outside IP address of my PIX (6.3 5) and the 2nd one is the outside IP address of the termanating VPN conncetion (6.3 5).

1 ACCEPTED SOLUTION

Accepted Solutions

Re: What does this log message mean?

Error Message %PIX-4-209005: Discard IP fragment set with more than number elements:

src = IP_address, dest = IP_address, proto = protocol, id = number

Explanation Too many elements are in a fragment set. The firewall disallows any IP packet that is fragmented into more than 12 fragments. Refer to the fragment command in the Cisco PIX Firewall Command Reference for more information.

Recommended Action A possible intrusion event may be in progress. If the message persists, contact the remote peer's administrator or upstream provider.

Have a look at http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/df.html#wp1029667

1 REPLY

Re: What does this log message mean?

Error Message %PIX-4-209005: Discard IP fragment set with more than number elements:

src = IP_address, dest = IP_address, proto = protocol, id = number

Explanation Too many elements are in a fragment set. The firewall disallows any IP packet that is fragmented into more than 12 fragments. Refer to the fragment command in the Cisco PIX Firewall Command Reference for more information.

Recommended Action A possible intrusion event may be in progress. If the message persists, contact the remote peer's administrator or upstream provider.

Have a look at http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/df.html#wp1029667

848
Views
0
Helpful
1
Replies
CreatePlease to create content