03-12-2015 01:26 AM - edited 03-11-2019 10:37 PM
Hey everyone.
Running ipsec between several locations.Getting the following on all remote Cisco ASA's.
Deny IP teardrop fragment (size = 744, offset = 0) from 10.150.0.2 to 10.150.4.x
The 10.150.4.x is Aruba access points and the 10.150.0.2 is the Aruba controller. Everything works fine, but I am wondering about these denies. Can it be because the traffic between the access point and controller are already encrypted ?
Thanx in advance for any feedback.
UPDATE: attached wireshark log: teardrop-capture.zip
Jon
03-12-2015 06:54 AM
Hi,
Here is more information on this issue:-
http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logmsgs.html#pgfId-4768988
It is sometimes necessary to break up large packets of data into smaller fragments before they can be sent across the network. Each of these fragments contains information that describes their position in the original, unfragmented packet, so that when the fragmented data arrives at its destination it can all be re-assembled in the proper order. In a teardrop attack, that positional information is deliberately falsified so that the fragments overlap. This can make some machines crash, thereby causing a denial of service.
Do you have any Audit signatures enabled on the ASA device ?
show run | in ip audit
Thanks and Regards,
Vibhor Amrodia
03-13-2015 02:55 AM
No audit on either sides of the ipsec.
03-13-2015 11:50 PM
Hi,
In that case , i think you might need to capture the traffic for these host which are showing up in the logs and verify the issue.
Thanks and Regards,
Vibhor Amrodia
03-16-2015 01:00 AM
Wireshark cap. is attached to orginal post. I see the packets, but not sure what to make of it.
12-16-2019 07:18 AM
This discussion is already a few years old, but I wonder if you have ever found a solution for this. We have a similar problem between Huawei access points and controller.
12-28-2022 05:14 AM
enabling netflow exporter to exporter address behind ipsec tunnel also produces tons of syslogs on remote asa. What's going on ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide