Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Don't Fragment flag set by PIX 515e 7.0(4)

I am in the process of setting up an SSL application at our site, I have got this same system up and running on one of our other sites without any problems. This one however does not work andI think I have traced the problem to our Cisco PIX 515e firewall. For some reason when the data arrives at the outside interface of the PIX the Don't Fragment' flag is not set, but when the packet leaves the firewall destined for a server inside my network the Don't Fragment flag has been set to one and the rest of the data stream is dropped. Any ideas why the firewall would be doing this?

2 REPLIES
Bronze

Re: Don't Fragment flag set by PIX 515e 7.0(4)

PIX Firewall supports the IP Path MTU Discovery mechanism, as defined in RFC 1191. IP Path MTU Discovery allows a host to dynamically discover and cope with differences in the maximum allowable maximum transmission unit (MTU) size of the various links along the path. Sometimes a PIX Firewall is unable to forward a datagram because it requires fragmentation (the packet is larger than the MTU you set for the interface), but the "don't fragment" (DF) bit is set. The network software sends a message to the sending host, alerting it to the problem. The host will have to fragment packets for the destination so that they fit the smallest packet size of all the links along the path.

New Member

Re: Don't Fragment flag set by PIX 515e 7.0(4)

I know that the PIX supports Path MTU discovery but in this case it does not seem to be doing its job. I have checked that all ICMP responses are allowed as well so it cant be that. I have the same application setup in another location behind a PIX running version 6.3 and it works fine, the DF flag is never set and the packets are passed, yet on the site where I have version 7.0 running the DF flag always gets set and the packets are dropped. The device/application sending the data is the same in both cases so it cannot be the device which needs changed. If it were he device setting the flag I would expect to see the problem on both sites. This only happens when we are using SSL. I know that SSL makes the packets bigger due to the overhead but why does it work behind PIX 6.3 and not PIX 7.0?

214
Views
0
Helpful
2
Replies