Netscreens' "Block Fragment Traffic" option blocks ipsec/udp traffic
we have a vendor who uses a Netscreen firewall and for security purposes needs to have the "Block Fragment Traffic" option enabled. Yet that option is blocking our ipsec over udp traffic from our ASA5550. I've tried all the possible pre-fragmentation options and our interface MTU is set to 1500.
Strange thing is that we have existing 3k's they can connect to fine through this Netscreen. It's only the new ASA that they cannot connect to. They turned off the Block Fragment Traffic option as a test and were able to login to the ASA without a problem.
Has anyone encountered this issue or know of a workaround? Thanks in advance.
Re: Netscreens' "Block Fragment Traffic" option blocks ipsec/udp
Hi sorry i can not help but i am have the same problem with fragment packets wen connectiong with cisco vpn client through a ceckpoint firewall with smartdefence enabled trying to access cisco VPN concentrator 3000. it connects but the checkpoint drops fragmenet packets. Ceckpoint are saying this is a Cisco fault, but i am yet to gety a fix.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...