Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4796
Views
5
Helpful
6
Replies

Deny IP teardrop fragment

Jon Are Endrerud
Level 3
Level 3

‎03-12-2015 01:26 AM - edited ‎03-11-2019 10:37 PM

Hey everyone.

 

Running ipsec between several locations.Getting the following on all remote Cisco ASA's.

 

 Deny IP teardrop fragment (size = 744, offset = 0) from 10.150.0.2 to 10.150.4.x

 

The 10.150.4.x is Aruba access points and the 10.150.0.2 is the Aruba controller. Everything works fine, but I am wondering about these denies. Can it be because the traffic between the access point and controller are already encrypted ?

 

Thanx in advance for any feedback.

 

UPDATE: attached wireshark log: teardrop-capture.zip

 

Jon

Please rate as helpful, if that would be the case. Thanx
1 person had this problem
Labels:
teardrop-capture.zip
6 Replies 6

Vibhor Amrodia
Cisco Employee
Cisco Employee

‎03-12-2015 06:54 AM

Hi,

Here is more information on this issue:-

http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logmsgs.html#pgfId-4768988

It is sometimes necessary to break up large packets of data into smaller
fragments before they can be sent across the network.  Each of these
fragments contains information that describes their position in the
original, unfragmented packet, so that when the fragmented data arrives
at its destination it can all be re-assembled in the proper order.  In a
teardrop attack, that positional information is deliberately falsified
so that the fragments overlap.  This can make some machines crash,
thereby causing a denial of service.

Do you have any Audit signatures enabled on the ASA device ?

show run | in ip audit

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Jon Are Endrerud
Level 3
Level 3
In response to Vibhor Amrodia

‎03-13-2015 02:55 AM

No audit on either sides of the ipsec.

Please rate as helpful, if that would be the case. Thanx
0 Helpful

Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to Jon Are Endrerud

‎03-13-2015 11:50 PM

Hi,

In that case , i think you might need to capture the traffic for these host which are showing up in the logs and verify the issue.

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Jon Are Endrerud
Level 3
Level 3
In response to Vibhor Amrodia

‎03-16-2015 01:00 AM

Wireshark cap. is attached to orginal post. I see the packets, but not sure what to make of it.

Please rate as helpful, if that would be the case. Thanx
0 Helpful

rjanssen
Level 1
Level 1
In response to Jon Are Endrerud

‎12-16-2019 07:18 AM

This discussion is already a few years old, but I wonder if you have ever found a solution for this. We have a similar problem between Huawei access points and controller.

0 Helpful

kerstin-534
Level 1
Level 1
In response to rjanssen

‎12-28-2022 05:14 AM

enabling netflow exporter to exporter address behind ipsec tunnel also produces tons of syslogs on remote asa. What's going on ?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card