Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1717
Views
0
Helpful
1
Replies

ASA 5585X in L2 trans. mode drops (ASP) fragm. IPv4 UDP multicast

h.groeger
Beginner
Beginner

‎11-19-2013 05:02 AM - edited ‎02-21-2020 05:02 AM

Hello Community,

it seems there are problems with dropped fragmented IPv4 UDP Multicast traffice on an ASA 5585X platform running ver. 8.4(6)5. The following sample topology has been used for the verification scenario:

MC src and rcv

(XChariot)

|

-----C4503---------------ASA5585X-L2mode-----------IPSEC-Appl.------WAN----------Remote Site with (S,G) (10.10.4.156,225.1.2.154) (XChariot)

|

MC src and rcv

(XChariot)

Test 1  (S,G) (10.10.4.156,225.1.2.154) sends UDP with a UDP length of 1341

(Trace "WAN-IF_capture_225.1.2.154_no-frag" and

output "L2FW-not_fragmented"

The traffic passes through the Transparent mode ASA without any problems.

Test2 (S,G) (10.10.4.156,225.1.2.154) sends UDP with a UDP length of 3441 resulting in fragmentation.

This traffic and unfortunately it is the same for the real application is drop by the ASA. The two ASP drops counters for "

Dst MAC L2 Lookup Failed" and "invalid-udp-length" are increasing in a realtion of  3(DstMAC):1(invalid udp).

The file"L2FW-frag_IPv4_UDP_MC_ASPdrops" shows first the capture on the WAN and then the captures on the ASP drops. In addition the three traces in pcap format.

Any idea?

Thank you in advance for you contribution.

15371328-ASP_DROP_Dst-L2-Lookup-Failed_225.1.2.154.pcap.zip
15371329-WAN-IF_capture_225.1.2.154_frag.pcap.zip
15371330-L2FW-frag_IPv4_UDP_MC_ASPdrops.txt.zip
15371331-L2FW-not_fragmented.txt.zip
15371332-WAN-IF_capture_225.1.2.154_no-frag.pcap.zip
0 Helpful
1 Reply 1

h.groeger
Beginner
Beginner

‎12-04-2013 10:33 AM

Hello Community,

the following combination solved our problem for now, upgrade to ASA OS 9.1.3 (asa913-2-smp-k8.bin) and the change from virtual reassembly (default) to hardware reassembly -> global-cfg -> fragment reassembly full [interface].

http://www.cisco.com/en/US/docs/security/asa/command-reference/f2.html#wp2019322

Perhaps further test will be made with using lower interim versions.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents