Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1207
Views
0
Helpful
2
Replies

ip virtual-reassembly counts

vudex
Level 1
Level 1

‎02-09-2020 04:34 AM

Hi.

Expieriencing some increasing timeouts on ip virtual-reassembly

 

 

GigabitEthernet0/0/2.202:
Virtual Fragment Reassembly (VFR) is ENABLED [in]
Concurrent reassemblies (max-reassemblies): 16
Fragments per reassembly (max-fragments): 32
Reassembly timeout (timeout): 60 seconds
Drop fragments: OFF

Current reassembly count:0
Current fragment count:0
Total reassembly count:2557797
Total reassembly timeout count:13961

 

 

This is ip nat inside interface

 

Kinda confused that there are reassembles IN, leading from local network. Though I don't expirience any visible issues while connecting to internet, what can happen if I turn it off? Should I? Why are there even fragments, if all interface leading from clients to the core are 1500 MTU.

0 Helpful
2 Replies 2

Georg Pauwen
VIP
VIP

‎02-09-2020 05:42 AM

Hello,

 

the fragments are most likely caused by NAT. Have a look at the explanantion below. The 'reassembly timeout' value, by the way, is not a dynamic value, but a value you set under the interface, with the command 'ip virtual-reassembly in timeout'. The default is 3...

 

--> Virtual fragmentation reassembly (VFR) is automatically enabled by some features (such as NAT, Cisco IOS XE Firewall, IPSec) to get Layer 4 or Layer 7 information. VFR enables the Cisco IOS XE Firewall to create appropriate dynamic access control lists (ACLs) to protect the network from various fragmentation attacks.

Most non-initial fragments do not have the Layer 4 header because it usually travels with the initial fragments (except in the case of micro-fragmentation and tiny fragments). Due to this, some features (such as NAT, Cisco IOS XE Firewall, IPSec) are unable to gather port information from the packet. These features may need to inspect the Layer 7 payload, for which the fragments need to be reassembled, and then refragmented later.

 

So, if you disable NAT on the interface, the count will probably drop to zero.

0 Helpful

vudex
Level 1
Level 1
In response to Georg Pauwen

‎02-11-2020 08:42 PM

I didn't disable NAT, but I disabled virtual reassembly. It did not affect the traffic in any way which is kinda odd. I don't see any increasing drops on interface itself either.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card