11-19-2013 05:02 AM - edited 02-21-2020 05:02 AM
Hello Community,
it seems there are problems with dropped fragmented IPv4 UDP Multicast traffice on an ASA 5585X platform running ver. 8.4(6)5. The following sample topology has been used for the verification scenario:
MC src and rcv
(XChariot)
|
-----C4503---------------ASA5585X-L2mode-----------IPSEC-Appl.------WAN----------Remote Site with (S,G) (10.10.4.156,225.1.2.154) (XChariot)
|
MC src and rcv
(XChariot)
Test 1 (S,G) (10.10.4.156,225.1.2.154) sends UDP with a UDP length of 1341
(Trace "WAN-IF_capture_225.1.2.154_no-frag" and
output "L2FW-not_fragmented"
The traffic passes through the Transparent mode ASA without any problems.
Test2 (S,G) (10.10.4.156,225.1.2.154) sends UDP with a UDP length of 3441 resulting in fragmentation.
This traffic and unfortunately it is the same for the real application is drop by the ASA. The two ASP drops counters for "
Dst MAC L2 Lookup Failed" and "invalid-udp-length" are increasing in a realtion of 3(DstMAC):1(invalid udp).
The file"L2FW-frag_IPv4_UDP_MC_ASPdrops" shows first the capture on the WAN and then the captures on the ASP drops. In addition the three traces in pcap format.
Any idea?
Thank you in advance for you contribution.
12-04-2013 10:33 AM
Hello Community,
the following combination solved our problem for now, upgrade to ASA OS 9.1.3 (asa913-2-smp-k8.bin) and the change from virtual reassembly (default) to hardware reassembly -> global-cfg -> fragment reassembly full [interface].
http://www.cisco.com/en/US/docs/security/asa/command-reference/f2.html#wp2019322
Perhaps further test will be made with using lower interim versions.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide