topic Re: Wireshark cap. is attached to in Network Security

Deny IP teardrop fragment

Jon Are Endrerud — Tue, 12 Mar 2019 05:37:49 GMT

Hey everyone.

Running ipsec between several locations.Getting the following on all remote Cisco ASA's.

Deny IP teardrop fragment (size = 744, offset = 0) from 10.150.0.2 to 10.150.4.x

The 10.150.4.x is Aruba access points and the 10.150.0.2 is the Aruba controller. Everything works fine, but I am wondering about these denies. Can it be because the traffic between the access point and controller are already encrypted ?

Thanx in advance for any feedback.

UPDATE: attached wireshark log: teardrop-capture.zip

Jon

Hi,

Vibhor Amrodia — Thu, 12 Mar 2015 13:54:39 GMT

Hi,

Here is more information on this issue:-

http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logmsgs.html#pgfId-4768988

It is sometimes necessary to break up large packets of data into smaller
fragments before they can be sent across the network.  Each of these
fragments contains information that describes their position in the
original, unfragmented packet, so that when the fragmented data arrives
at its destination it can all be re-assembled in the proper order.  In a
teardrop attack, that positional information is deliberately falsified
so that the fragments overlap.  This can make some machines crash,
thereby causing a denial of service.

Do you have any Audit signatures enabled on the ASA device ?

show run | in ip audit

Thanks and Regards,

Vibhor Amrodia

No audit on either sides of

Jon Are Endrerud — Fri, 13 Mar 2015 09:55:07 GMT

No audit on either sides of the ipsec.

Hi,In that case , i think you

Vibhor Amrodia — Sat, 14 Mar 2015 06:50:05 GMT

Hi,

In that case , i think you might need to capture the traffic for these host which are showing up in the logs and verify the issue.

Thanks and Regards,

Vibhor Amrodia

Wireshark cap. is attached to

Jon Are Endrerud — Mon, 16 Mar 2015 08:00:44 GMT

Wireshark cap. is attached to orginal post. I see the packets, but not sure what to make of it.

Re: Wireshark cap. is attached to

rjanssen — Mon, 16 Dec 2019 15:18:42 GMT

This discussion is already a few years old, but I wonder if you have ever found a solution for this. We have a similar problem between Huawei access points and controller.

Re: Wireshark cap. is attached to

kerstin-534 — Wed, 28 Dec 2022 13:14:41 GMT

enabling netflow exporter to exporter address behind ipsec tunnel also produces tons of syslogs on remote asa. What's going on ?