Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Netscreens' "Block Fragment Traffic" option blocks ipsec/udp traffic

we have a vendor who uses a Netscreen firewall and for security purposes needs to have the "Block Fragment Traffic" option enabled. Yet that option is blocking our ipsec over udp traffic from our ASA5550. I've tried all the possible pre-fragmentation options and our interface MTU is set to 1500.

Strange thing is that we have existing 3k's they can connect to fine through this Netscreen. It's only the new ASA that they cannot connect to. They turned off the Block Fragment Traffic option as a test and were able to login to the ASA without a problem.

Has anyone encountered this issue or know of a workaround? Thanks in advance.

New Member

Re: Netscreens' "Block Fragment Traffic" option blocks ipsec/udp

Hi sorry i can not help but i am have the same problem with fragment packets wen connectiong with cisco vpn client through a ceckpoint firewall with smartdefence enabled trying to access cisco VPN concentrator 3000. it connects but the checkpoint drops fragmenet packets. Ceckpoint are saying this is a Cisco fault, but i am yet to gety a fix.