Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
374
Views
1
Helpful
2
Replies

How to clear DF bit on ASA

Ricky Sandhu
Level 3
Level 3

‎02-25-2025 10:58 AM

Good day, we are having an issue where remote-vpn users connecting via the ASA are unable to access a resource. (Rough diagram attached). 

Whenever PC1 is accessing a given resource on the Internet, it has no issues.
However whenever PC2 is accessing the same resource via ASA and FTD, it can't. On FTD the below error gets logged:
Initiator IP: 10.1.1.2     4 (Fragmentation Needed and Don't Fragment was set) / icmp

Why is the ASA setting the DF bit and how can I remove it?

Preview file
21 KB
0 Helpful
2 Replies 2

liviu.gheorghe
VIP
VIP

‎02-25-2025 11:40 AM - edited ‎02-25-2025 12:04 PM

Hello @Ricky Sandhu ,

you can clear the DF bit on ASA by using PBR. For this you will need to configure a route-map:

route-map cleardf permit 10

 set ip df 0

This route-map should be applied on the interface towards PC2:

policy-route route-map cleardf

What the route-map does is match all traffic coming in that interface because there is no match statement, and to that traffic it sets the DF bit to 0 so it can be fragmented along the way.

Edit: PBR is supported on ASA starting with software version 9.4(1).

HTH

Regards, LG
*** Please Rate All Helpful Responses ***

Ricky Sandhu
Level 3
Level 3

‎02-25-2025 07:36 PM

Thank you @liviu.gheorghe 

I was able to "go around" the issue by routing traffic from the ASA via an IOS router to the destination on the Internet for now.  But I will keep this in my back pocket for future

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card