Buy or Renew
Buy or Renew
Cisco + Splunk: Itā€™s a new day for your data. Learn more.
Ā 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
989
Views
0
Helpful
4
Replies

VFR error

prashantrecon
Level 1
Level 1

ā€Ž12-06-2011 11:11 PM - edited ā€Ž03-07-2019 03:46 AM

Hi team,

we are getting eeror on our router.

004488: *Dec  7 06:34:17.602 UTC: %IP_VFR-3-OVERLAP_FRAGMENTS: FastEthernet0/0: from the host 203.18.137.116 destined to 99.88.45.237

Labels:
0 Helpful
4 Replies 4

Peter Paluch
Cisco Employee
Cisco Employee

ā€Ž12-07-2011 12:24 AM

Hi,

This message informs you that the IP packet fragments arriving from the host 203.18.137.116 are overlapping, i.e. if the packet was to be put back together, parts of it would overlap and overwrite each other. The VFR (Virtual Fragmentation and Reassembly) is a feature on Cisco routers that keeps track of fragmented packets so that they can pass ACL checks as if they were unfragmented.

Overlapping fragments are most often caused by malicious intents, as correct IP packet fragmentation will never produce overlapping fragments. You can assume that either the 203.18.137.116 is intentionally creating a stream of overlapping fragments to confuse and/or interfere with the correct operation of the 99.88.45.237 (and routers/firewalls inbetween), or some device on the route between these two hosts has a faulty IP driver that creates overlapping fragments.

In any case, there is nothing you can do about it. It is not your fault, and the router is merely informing you about a suspicious flow of IP packets.

Best regards,

Peter

0 Helpful

prashantrecon
Level 1
Level 1
In response to Peter Paluch

ā€Ž12-07-2011 05:35 AM

Hi peter,

Even we are receving packet drops when we ping to the router  inside interface.

every time destination ip is changing.Is there any way to prevent this?

Also we are receving error as

005024: *Dec  7 14:08:11.528 UTC: %IP_VFR-4-FRAG_TABLE_OVERFLOW: FastEthernet0/0: the fragment table has reached its maximum threshold 64

0 Helpful

Peter Paluch
Cisco Employee
Cisco Employee
In response to prashantrecon

ā€Ž12-07-2011 12:45 PM

Hello,

I am afraid you can't do much against the occurence of fragmented packets. You can try entering the following command on your IP-enabled interfaces:

no ip virtual-reassembly

This will deactivate the VFR functionality. You can safely do this if you are not using any ACLs on the affected device. If you do happen to use ACLs, you can use the command as well but you should keep an watchful eye on the traffic after deactivating the VFR, as some (fragmented) traffic may get incorrectly denied or permitted.

Best regards,

Peter

0 Helpful

prashantrecon
Level 1
Level 1
In response to Peter Paluch

ā€Ž12-08-2011 05:29 AM

Hi  peter,

Today  i have  blocked udp port on that server which was exposed to internet.

Till evening i haven't recevied any log as mentioned.above.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card