Cisco Support Community
Community Member

Does Enabling FragGuard on the PIX affect the IDS Sensor

Will enabling the FragGuard option on the PIX firewall have any effect on the IDS's communication/operation with the IDS-MC? Since version 4 sensors are using Red Hat Linux, and we all know Linux sends IP fragments in reverse order, will the fragmented Linux packets then be dropped by the FragGuard option on the PIX (this is of course based on a remote distribution where the sensor is not on the same network segment as the IDS-MC).

Any comments/answers?

Cisco Employee

Re: Does Enabling FragGuard on the PIX affect the IDS Sensor

I personally have never tried this option in the Pix.

But my gut feel is that it should not affect IDS communications.

From the Pix Guide's description for FragGuard:

FragGuard and virtual reassembly is a feature that provides IP fragment protection. This feature performs full reassembly of all ICMP error messages and virtual reassembly of the remaining IP fragments that are routed through the PIXFirewall. Virtual reassembly is currently enabled by default. This feature uses syslog to log any fragment overlapping and small fragment offset anomalies, especially those caused by a teardrop attack.

My understanding of this statement would be that the Pix is looking for fragment anomalies that are often done by hackers to get by security devices. This would include overlapping the fragments to try and hide some of the date in the fragment, or sending very small fragments to try and sneak them by the security device.

For normal fragments the Pix would just virtual reassemble the fragments into the original datagram, see that the fragments were normal and pass them on through to the end device.

Since any fragments being generated in the IDS communications should just be normal fragmentation of large packets, I don't think that the FragGuard option will have any affect. It will reassemble the fragments, see they are normal, and forward them on without an issue.

I don't think that reverse ordering of the fragments should cause any issues, since this is becoming more and more common and is allowed by the RFC. I would expect that the Pix should be able to handle both forward and reverse ordered fragments just fine and pass them through.

NOTE: This is just my best guess as I have not tested it.

Are you seeing an issue already in your deployment, or are you just asking as part of your planning for deployment?

Community Member

Re: Does Enabling FragGuard on the PIX affect the IDS Sensor

We might be seeing an issue and are trying to rule this out. We have been losing connections to our Cisco IDS using NetForensics where NF shows a connection established using netstat but the IDS shows no connection. In order to get the connection re-established we need to stop and start the nfcids4ctl process. There was some documentation forwarded to us by one of our CCIE's that stated:

"Note: Because Linux sends IP fragments in reverse order, fragmented Linux packets will not pass through the PIX firewall if sysopt security fragguard has been enabled."

I'm not sure the IDS would send any packets that need to be fragmented in the first place though. Again, just trying to rule this out as the cause.


CreatePlease to create content