it seems there are problems with dropped fragmented IPv4 UDP Multicast traffice on an ASA 5585X platform running ver. 8.4(6)5. The following sample topology has been used for the verification scenario:
MC src and rcv
-----C4503---------------ASA5585X-L2mode-----------IPSEC-Appl.------WAN----------Remote Site with (S,G) (10.10.4.156,184.108.40.206) (XChariot)
MC src and rcv
Test 1 (S,G) (10.10.4.156,220.127.116.11) sends UDP with a UDP length of 1341
(Trace "WAN-IF_capture_18.104.22.168_no-frag" and
The traffic passes through the Transparent mode ASA without any problems.
Test2 (S,G) (10.10.4.156,22.214.171.124) sends UDP with a UDP length of 3441 resulting in fragmentation.
This traffic and unfortunately it is the same for the real application is drop by the ASA. The two ASP drops counters for "
Dst MAC L2 Lookup Failed" and "invalid-udp-length" are increasing in a realtion of 3(DstMAC):1(invalid udp).
The file"L2FW-frag_IPv4_UDP_MC_ASPdrops" shows first the capture on the WAN and then the captures on the ASP drops. In addition the three traces in pcap format.
the following combination solved our problem for now, upgrade to ASA OS 9.1.3 (asa913-2-smp-k8.bin) and the change from virtual reassembly (default) to hardware reassembly -> global-cfg -> fragment reassembly full [interface].
Get more with Firepower 6.6.1 – Cisco’s latest suggested release
The latest suggested release for Firepower delivers a Modernized UI, faster eventing, improved usability, and compatibility with the Cisco SecureX platform
In September 2020, Cisco of...
In my setup I see pending approvals under Web clients but also All Client?
In pxGrid 1.0, we have “Dynamic capabilities”. Those have to be approved too. So the difference is one for client approval and the other for capabilities approval. For ex...
I am not able to login to the ASAv device on AWS. I get the following message when I try from another EC2 (ubuntu 16.04) no matching key exchange method found. Their offer: diffie-hellman-group14-sha256 When I try from my Mac - I just get n...
Question. Our legal folks have asked if it is possible to add a footer to outbound email if it went out via TLS. So if it successfully negotiates TLS, can we add a footer that says "Sent successfully via TLS 1.2". Is this possible? ...
Segmentation Strategy - An ISE Prescriptive Guide
For an offline or printed copy of this document, simply choose ⋮ Options > Printer Friendly Page. You may then Print, Print to PDF or copy and paste to any other document ...