cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1853
Views
0
Helpful
3
Replies

Deny IP teardrop fragment (size = 1416, offset = 0)

Omar Badawi
Level 1
Level 1

Hello,

I am getting logs on my ASA saying that

Deny IP teardrop fragment (size = 1416, offset = 0)

I am getting them when i am trying to generate a PING from outside host to inside host using a packet size of 10,000 (for testing purposes).

however, when i run the ping with the same packet size from my Laptop, i get replies and everything works fine (Windows 7)

when i run the ping from customer PC, i get the logs (windows 7 and windows 8)

ping with regular packets size works from everywhere.

the only difference i can think of is that i am not on the domain and the customers PC are on the domain.

i am raising this issue because from my PC i can open a remote desktop connection to the inside host with no problems, but from the customers PCs, i can't, it's taking too long to open, then it opens (milliseconds in my case, close to 1 min in the customer's PCs case)

me and my customer's pc are considered outside users to the ASA becasue it's a servers farm ASA (outside connected to core and inside connected to servers)

no natting on the ASA and the outside ACL is permitting everything.

NO IPS running at the moment.

thank you.

3 Replies 3

Luis Silva Benavides
Cisco Employee
Cisco Employee

Hi,

The best way to troubleshoot the RDP issue is by taking captures on the inside and outside interface of the ASA and also correlate them with the syslogs. You might wanna do this for the working and non-working connection.

HTH,

Luis Silva

"If you need PDI (Planning, Design, Implement) assistance feel free to reach"

http://www.cisco.com/web/partners/tools/pdihd.html

Luis Silva

Hello Luis,

Thank you for your reply, I havn't got the chance to take captures on the interfaces, however, the issue is fixed.

It turns out that HSRP configured between Nexus 5K on the inside of the ASA was the one causing the dropped packets.

We are now using the 5K as L2 devices and the ASA has subinterfaces, one for each VLAN on the inside network, and the reply for a 10000 packet size from outside to inside is < or = to 1 ms with no drops.

Great!

Luis Silva

"If you need PDI (Planning, Design, Implement) assistance feel free to reach"

http://www.cisco.com/web/partners/tools/pdihd.html

Luis Silva