I am running v6.2(2) on a 515E failover config. All of my packets (inbound and outbound) that pass through the firewall, from a capture command, end with (fragment-packet). I have sniffed the the switchports (using ethereal) of the PIX and the Fastethernet interface of the Internet access router that is on the outside subnet. When I search for ip.fragment or ip.frag_offset != 0, I only see one framented packet. I have the same results when using the secondary PIX only. The PIX has only been in place for about a week.
What you may be seeing is the DF bit set to 0 which means "You can fragment" vs being set to 1 which means "Do not fragment". I think the output of the Pix is saying the packet can be fragmented rather than it has been fragmented.
OK. But I have done captures on 2 other PIXs, one running v6.2(2) and one running 6.3(1). None of the packets ended with (fragment-packet).
The reason why I did a capture in the first place is that a couple of web sites that required authentication and a few ssh connections were taking 30-40 seconds to load. They were loading in normal time (< 3 sec) without the PIX in place.
I just think that something is odd that out of 10 captures every single packet caputred from the PIX ends with (fragment-packet)
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...