I'm baffled by this one. I found that the SA520 does not seem to be able to be able to reassemble fragmented packets. I have 2 sites and I setup a site-to-site IPSEC link. The problem started that small packets less than 1409 bytes could be transmitted across the link, but not larger ones. This caused problems and caused me to do more testing. I found that even when pinging the LAN IP from a local computer, I couldn't ping larger than 1472, which I expect if I set the NoFragment bit. But if I don't set the NoFragment bit, why can't it reassemble the 2 packets from a 1475 byte ping?
I did a packet trace (from the SA520's UI) and looked at the .CAP file with WireShark. I see the 2 fragments for each ping request (the first one, and then the 3 extra bytes, totaling 1475 bytes) and then nothing else until exactly 30 seconds later. At that time I get a ping response of "Type: 11 (Time-to-live exceeded)" with a code of "Code: 1 (Fragment reassembly time exceeded)".
So, it seems that the SA520 doesn't think it got all the packets, or it just refused to put them back together. I get roughly the same results pinging the SA520 on the other side of the IPSEC link. (which right now is a cable connecting the 2 together in my lab)
This seems like a bug to me, but I can't believe no one else has had any problem like this. Anyone?
After a couple calls with Cisco support, I found the reason and solution. In the Firewall -> Attacks configuration page, there is an option for "Block Fragmented Packets" that is checked by default. It seems that not only does this block regular WAN traffic that is fragmented, but also blocks traffic that is part of any IPSEC VPN tunnel. Now that I know it, it seems like something I should have found, however, I would have thought that the firewall would not have blocked traffic within the tunnel.
After changing that, all the symptoms I described above went away. I could ping successfully with any size packet I desired,
Reboot and Factory Default Reset on ISA500 Series Integrated Security Appliances
Reboot or restart of the network device is made when certain changes in the settings need reboot or if the device is frozen. The configuration...
WAN Quality of Service (QoS) Policy Profiles Settings on ISA500 Series Integrated Security Appliances
Wide Area Network (WAN) Quality of Service (QoS) policy profiles manage traffic through classed-based profiles. These pro...
Cisco QuickVPN Installation Tips for Windows Operating Systems
For a video showing installation tips on Quick VPN, visit http://youtu.be/hHu2z6A78N8
Cisco QuickVPN is a free software designed for remote access to a ne...