Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA 5585X in L2 trans. mode drops (ASP) fragm. IPv4 UDP multicast

Hello Community,

it seems there are problems with dropped fragmented IPv4 UDP Multicast traffice on an ASA 5585X platform running ver. 8.4(6)5. The following sample topology has been used for the verification scenario:

MC src and rcv

(XChariot)

|

-----C4503---------------ASA5585X-L2mode-----------IPSEC-Appl.------WAN----------Remote Site with (S,G) (10.10.4.156,225.1.2.154) (XChariot)

|

MC src and rcv

(XChariot)

Test 1  (S,G) (10.10.4.156,225.1.2.154) sends UDP with a UDP length of 1341

(Trace "WAN-IF_capture_225.1.2.154_no-frag" and

output "L2FW-not_fragmented"

The traffic passes through the Transparent mode ASA without any problems.

Test2 (S,G) (10.10.4.156,225.1.2.154) sends UDP with a UDP length of 3441 resulting in fragmentation.

This traffic and unfortunately it is the same for the real application is drop by the ASA. The two ASP drops counters for "

Dst MAC L2 Lookup Failed" and "invalid-udp-length" are increasing in a realtion of  3(DstMAC):1(invalid udp).

The file"L2FW-frag_IPv4_UDP_MC_ASPdrops" shows first the capture on the WAN and then the captures on the ASP drops. In addition the three traces in pcap format.

Any idea?

Thank you in advance for you contribution.

1 REPLY
New Member

ASA 5585X in L2 trans. mode drops (ASP) fragm. IPv4 UDP multicas

Hello Community,

the following combination solved our problem for now, upgrade to ASA OS 9.1.3 (asa913-2-smp-k8.bin) and the change from virtual reassembly (default) to hardware reassembly -> global-cfg -> fragment reassembly full [interface].

http://www.cisco.com/en/US/docs/security/asa/command-reference/f2.html#wp2019322

Perhaps further test will be made with using lower interim versions.

1320
Views
0
Helpful
1
Replies
CreatePlease to create content