Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Excess hits on IPS signatures 1204 and 1208

Dear friends,

I am getting a lot of 1204/0 and 1208/0 hits for a particular server behind FWSM with destination traffic being and protocol being UDP.

These signatures are relating to Missing Initial fragment and IP Fragment Incomplete datagram.

Do you have any suggestions on how to handle this?

The sensor is operating in both promiscous as well as inline mode but i dont remember exactly if this event is coming from the virtual sensor in promiscous mode or inline mode. I believe it is promiscous.

Any ideas would really be appreciated.

Thanks and Regards

Cisco Employee

Re: Excess hits on IPS signatures 1204 and 1208

From FWSM's perspective

server ------ (inside vlan) FWSM (outside vlan) ------- {cloud}

Where are you sniffing?

FWSM has it's own fragmentation checks in place and will not allow traffic for which it has not received all the fragments - maybe it's pointless to have those checks on IPS?

Helpful FWSM:


show frag

show np 3 reas


On a higher level. I know that certain multicast apps will send huge chunks of fragmented data and you may consider raising MTU on FWSM + using jumbo frames to mitigate some of the impact. You'd need to know who's receiving those multicast groups though.

CreatePlease to create content