Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
817
Views
0
Helpful
1
Replies

ASA does not allow ESP fragments to go in outside interface

spapageorgiou
Level 1
Level 1

‎12-09-2018 11:07 PM - edited ‎02-21-2020 08:33 AM

Hi all,

 

I'm running an ASA with 9.8(2) and I have a IPSEC tunnel with another device. The other device (pfsense) fragments ESP packets in order to fit the MTU, but the ASA does not seem to allow ESP fragments to go in, does not reassemble them and of course I can't see the decapsulated ESP payload to reach the endhost. I have opened the firewall to allow everything.

 

The question is how can i configure the ASA to do reassembly, as it should be and forward the payload to the endhost. 

 

Thanx,

Sp

PS: I know all about PMTU and MSS, but it does not apply in my case, so I would like to reassemble the packets.

 

0 Helpful
1 Reply 1

Kasun Bandara
VIP
VIP

‎12-10-2018 10:10 PM

Hi,

just cool suggestion. can you try setting same MTU or fragment thresholds on both side to same value? :)
Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card