Re: IP_VFR-4-FRAG_TABLE_OVERFLOW:

baxta2712 · ‎10-26-2010

Hello

I had an error message on my router:

%IP_VFR-4-FRAG_TABLE_OVERFLOW: GigabitEthernet0/1.1000: the fragment table has reached its maximum threshold 16

and than my OSPF neighbors went down, could this error be course of my OSPF problem? and what is effect of this error? could interface gig0/1.1000 went down? there is no logs about this.

thank you

David Aicher · ‎10-26-2010

VFR is "virtual fragmentation reassembly" It is typically used for nat and some other layer 4 features as fragmented IP will only have the layer 4 header in the first fragment. So we need to keep the fragments and reassemble them to make sure that nat is performed the same on all fragments or the other fragments are classified the same.

That said this should not have any effect OSPF or the interface status. The error typically indicates that you are receiving a large number of fragmented ip packets on this interface. This might be normal or it could be a sign of some device causing fragmentation that shouldn't be.

You can increase the maximum entries using the command "ip virtual-reassembly max-reassemblies x" under the interface configuration. I would probably make it at least 64 if possible. The max value here varies with IOS versions. Newer versions allow the value to be up to 1024. If you still see the error you should investigate where the fragmentation is happening in your network.

Regards

Dave Aicher

baxta2712 · ‎10-27-2010

Thanks a lot

mohamednselim · ‎08-27-2012

Dear David,

I do have the same problem now, but when i tried to issue the command its not even there.

what can i do now ?

David Aicher · ‎08-27-2012

What version of IOS?

other than increasing the max reassemblies you should find out where the fragmentation is happening in your network. Sometimes it is unavoidable for example if you are using GRE or ipsec but you can mitigate it as much as possible.

mohamednselim · ‎08-27-2012

Here is a show version

and if you need other shows i will provide it to you.

Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(20)T2, RELEASE SOFTWARE (fc4)

Technical Support: http://www.cisco.com/techsupport

Compiled Sat 31-Jan-09 13:46 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T11, RELEASE SOFTWARE (fc1)

Living-in-internet-R uptime is 6 hours, 23 minutes

System returned to ROM by reload at 06:58:57 UTC Mon Aug 27 2012

System image file is "flash:c2800nm-advsecurityk9-mz.124-20.T2.bin"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

Cisco 2811 (revision 53.51) with 247808K/14336K bytes of memory.

Processor board ID FCZ132070EX

2 FastEthernet interfaces

2 Serial(sync/async) interfaces

1 ATM interface

1 Virtual Private Network (VPN) Module

DRAM configuration is 64 bits wide with parity enabled.

191K bytes of non-volatile configuration memory.

62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

David Aicher · ‎08-27-2012

I don't understand what you mean that the command doesn't exist. ip virtual-reassembly max-reassemblies has existed since 12.3(8)T

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_i3.html#wp1060958

this is an interface level command.

mohamednselim · ‎08-27-2012

sorry David

this command is already issued under the interface ( ip virtual-reassembly )

should i run it again and make it 64 or 1024 ?

David Aicher · ‎08-27-2012

exactly. you have to look at this in two ways. is fragmentation expected in your network(ie ipsec, gre etc) if not then locate the cause of the fragmentation. if it is expected increase the max reassemblies until the messages stop.

mohamednselim · ‎08-27-2012

Dear David,

I dont fully understand this fragmentation issue

so if you would like here is the show run of the router so you can tell me what i can do now.

X.X.X.X is real ips.

Living-in-internet-R#

Living-in-internet-R#sh run

Building configuration...

Current configuration : 9682 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Living-in-internet-R

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 51201 warnings

!

aaa new-model

!

aaa authentication login ssl local

!

aaa session-id common

!

dot11 syslog

ip source-route

!

ip cef

!

ip name-server 4.2.2.2

ip name-server 8.8.8.8

ip multicast-routing

!

multilink bundle-name authenticated

!

crypto pki trustpoint TP-self-signed-1655078679

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1655078679

revocation-check none

rsakeypair TP-self-signed-1655078679

!

crypto pki certificate chain TP-self-signed-1655078679

certificate self-signed 01

3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 31363535 30373836 3739301E 170D3132 30383237 30373031

33315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36353530

37383637 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100A633 3E543710 5B56616F 0CD10226 72AFFF57 264DE0BF 45129BED E490AC26

39C6B08E 23B7F409 F39DE34C F8F3872B 90BD1F3A 9D6DD291 BC4F9ED6 55854BF8

B2B301E2 F8FF3B3D 411F207B 20241AAB 2D13814C D7E03746 8D96BAE8 205E7325

BC394BED 122C3893 E4D92181 8C3FDE7C 1C30C96D 7D32481C 4B8D3CCA 6F5FF241

BC0D0203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603

551D1104 18301682 144C6976 696E672D 696E2D69 6E746572 6E65742D 52301F06

03551D23 04183016 8014BB10 E778310D D1B0E049 A2F0E094 23902307 5267301D

0603551D 0E041604 14BB10E7 78310DD1 B0E049A2 F0E09423 90230752 67300D06

092A8648 86F70D01 01040500 03818100 A2573B93 3AF0A175 4CB7ED39 BAD78ED4

2AA446D4 978D7DC6 C7D04E08 CA0C60B3 2AE77C2D 1CF92AC0 04917E6F C4C70D65

F27C6E3D 503A201F 7709F687 8352DA0E 69E0135D 8359A1FA 2F1DC31A F6BE4870

A25CEA26 BF8EC4D4 CAC8D164 0BE9C074 21F9BE6D A21382A4 937D7F28 53513055

28A7F9CD 7459BF81 9E3904FA 7F36680B

quit

!

archive

log config

hidekeys

!

interface Loopback100

no ip address

!

interface FastEthernet0/0

description <<""Inside"">>

ip address 192.168.201.254 255.255.255.0

ip pim sparse-mode

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

description <<""Internet"">>

ip address X.X.X.X 255.255.255.224

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface ATM0/0/0

no ip address

shutdown

no atm ilmi-keepalive

dsl operating-mode auto

!

interface Serial0/1/0

no ip address

shutdown

clock rate 2000000

!

interface Serial0/1/1

no ip address

shutdown

clock rate 2000000

!

ip local pool pool 20.0.0.1 20.0.0.254

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 X.X.X.X

ip route 10.0.0.0 255.0.0.0 192.168.201.1

ip route 192.168.60.0 255.255.255.0 192.168.201.1

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip pim rp-address 192.168.201.254

ip nat inside source list internet interface FastEthernet0/1 overload

ip nat inside source static 192.168.201.1 X.X.X.X

ip nat inside source static 10.10.90.100 X.X.X.X

ip nat inside source static 10.10.90.60 X.X.X.X

ip nat inside source static 10.10.110.6 X.X.X.X

ip nat inside source static 10.10.106.105 X.X.X.X

ip nat inside source static 10.10.106.106 X.X.X.X

ip nat inside source static 10.10.106.107 X.X.X.X

ip nat inside source static 10.10.90.80 X.X.X.X

ip nat inside source static 10.10.110.15 X.X.X.X

ip nat inside source static 10.10.110.10 X.X.X.X

!

ip access-list extended IDS_fa0/0_in_0

permit ip host 10.10.105.31 any

permit ip any any

permit tcp any any

permit udp any any

ip access-list extended internet

permit ip 10.10.91.0 0.0.0.255 any

permit tcp 10.10.91.0 0.0.0.255 any

permit udp 10.10.91.0 0.0.0.255 any

permit ip 10.10.120.0 0.0.0.255 any

permit ip 10.10.90.0 0.0.0.255 any

permit tcp 10.10.90.0 0.0.0.255 any

permit udp 10.10.90.0 0.0.0.255 any

permit ip 10.10.110.0 0.0.0.255 any

permit tcp 10.10.110.0 0.0.0.255 any

permit udp 10.10.110.0 0.0.0.255 any

permit ip 10.10.6.0 0.0.0.255 any

deny tcp 10.10.6.0 0.0.0.255 eq smtp any

permit icmp 10.10.20.0 0.0.0.255 any echo

permit icmp 10.10.20.0 0.0.0.255 any echo-reply

permit ip 10.10.20.0 0.0.0.255 host X.X.X.X

deny tcp 10.10.20.0 0.0.0.255 eq smtp any

permit icmp 10.10.40.0 0.0.0.255 any echo

permit icmp 10.10.40.0 0.0.0.255 any echo-reply

deny tcp 10.10.40.0 0.0.0.255 eq smtp any

permit ip 192.168.201.0 0.0.0.255 any

permit tcp 192.168.201.0 0.0.0.255 any

permit udp 192.168.201.0 0.0.0.255 any

permit ip 10.10.109.0 0.0.0.255 any

permit tcp 10.10.109.0 0.0.0.255 any

permit udp 10.10.109.0 0.0.0.255 any

permit ip host 10.10.105.100 any

permit ip 10.10.105.0 0.0.0.255 any

permit icmp 10.10.30.0 0.0.0.255 any echo

permit icmp 10.10.30.0 0.0.0.255 any echo-reply

deny tcp 10.10.30.0 0.0.0.255 eq smtp any

!

logging trap debugging

logging 10.10.105.100

logging 10.10.120.150

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 100 permit ip 10.0.0.0 0.0.0.255 any

access-list 100 permit tcp any any

access-list 100 permit udp any any

access-list 190 permit ip any any

access-list 190 permit tcp any any

access-list 190 permit udp any any

access-list 191 permit ip any any

access-list 191 permit tcp any any

access-list 191 permit udp any any

!

control-plane

!

banner exec ^CC

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Router and Security Device Manager (SDM) is installed on this device and

it provides the default username "cisco" for one-time use. If you have already

used the username "cisco" to login to the router and your IOS image supports the

"one-time" user option, then this username has already expired. You will not be

able to login to the router with this username after you exit this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username privilege 15 secret 0

Replace and with the username and password you want to

use.

-----------------------------------------------------------------------

^C

banner login ^CC

-----------------------------------------------------------------------

Cisco Router and Security Device Manager (SDM) is installed on this device.

This feature requires the one-time use of the username "cisco"

with the password "cisco". The default username and password have a privilege level of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.

Here are the Cisco IOS commands.

username privilege 15 secret 0

no username cisco

Replace and with the username and password you want to use.

For more information about SDM please follow the instructions in the QUICK START

GUIDE for your router or go to http://www.cisco.com/go/sdm

-----------------------------------------------------------------------

^C

!

line con 0

line aux 0

line vty 0 4

exec-timeout 0 0

privilege level 15

logging synchronous

transport input all

line vty 5 15

exec-timeout 0 0

privilege level 15

logging synchronous

transport input all

!

scheduler allocate 20000 1000

!

web gateway ssl-gateway

ip interface FastEthernet0/1 port 443

http-redirect port 80

ssl encryption rc4-md5

ssl trustpoint TP-self-signed-1655078679

logging enable

inservice

!

web gateway web-gateway

ip interface FastEthernet0/1 port 1025

ssl encryption rc4-md5

ssl trustpoint TP-self-signed-1655078679

logging enable

inservice

!

web install svc flash:/web/svc_1.pkg sequence 1

!

web context ssl

title "ssl"

ssl encryption rc4-md5

ssl authenticate verify all

!

policy group DEFAULT_POLICY

functions svc-required

svc address-pool "pool"

svc default-domain "cisco.com"

svc keep-client-installed

svc split include 10.0.0.0 255.0.0.0

svc dns-server primary 4.2.2.2

default-group-policy DEFAULT_POLICY

aaa authentication list ssl

aaa authentication domain ssl

gateway ssl-gateway domain ssl

inservice

!

web context web

title "web"

ssl encryption rc4-md5

ssl authenticate verify all

!

url-list "url"

heading "Vimportant"

url-text "ipv" url-value "10.10.120.253"

!

acl "web"

permit url "http://10.10.120.253"

!

nbns-list "ADMIN-NBNS"

nbns-server 1.1.1.1

!

port-forward "core"

local-port 23 remote-server "10.10.120.254" remote-port 23 description "telnettocore"

!

policy group policy

url-list "url"

acl "web"

port-forward "core"

nbns-list "ADMIN-NBNS"

functions file-access

functions file-browse

functions file-entry

hide-url-bar

default-group-policy policy

aaa authentication list ssl

aaa authentication domain web

gateway ssl-gateway domain web

user-profile location flash:

inservice

!

end

David Aicher · ‎08-27-2012

Fragmentation occurs when the mtu of an interface is not large enough to transmit the packet. for example a router receives a 1500 byte packet on an interface. however the egress interface has an mtu of 1400. so the router has to fragment the packet so it can transmit it. you now have two packets that make up the original packet.

this most commonly occurs where there is an MTU mismatch or when you do things that add to the size of the orginal packet like GRE and IPSEC.

In your case the device reporting the messages is just sort of the victim. it is receiving multiple fragments. since you have nat on, ip virtual-reassembly is enabled by default since only the first fragment has layer 4 header.

to find where fragmentation is happening you follow the path towards the source of the traffic looking for where the fragmentation is happening. You can verify using "show ip traffic" which will tell you if the router had to fragment the packet.

the other way to find the source of fragmentation is to ping towards the source of the traffic with size = 1500 and df bit set to 1 (df = don't fragment) you will get an unreachable could not fragment from the offending device.

mohamednselim · ‎08-28-2012

Hi David,

her is the show ip traffic

IP statistics:

Rcvd: 480903 total, 84402 local destination

0 format errors, 0 checksum errors, 0 bad hop count

0 unknown protocol, 37 not a gateway

0 security failures, 0 bad options, 0 with options

Opts: 0 end, 0 nop, 0 basic security, 0 loose source route

0 timestamp, 0 extended security, 0 record route

0 stream ID, 0 strict source route, 0 alert, 0 cipso, 0 ump

0 other

Frags: 4 reassembled, 0 timeouts, 0 couldn't reassemble

23 fragmented, 47 fragments, 0 couldn't fragment

Bcast: 4055 received, 0 sent

Mcast: 0 received, 1637 sent

Sent: 59701 generated, 37355184 forwarded

Drop: 0 encapsulation failed, 0 unresolved, 0 no adjacency

19 no route, 0 unicast RPF, 0 forced drop

0 options denied

Drop: 0 packets with source IP address zero

Drop: 0 packets with internal loop back IP address

0 physical broadcast

ICMP statistics:

Rcvd: 7 format errors, 0 checksum errors, 0 redirects, 68 unreachable

982 echo, 0 echo reply, 0 mask requests, 0 mask replies, 0 quench

0 parameter, 0 timestamp, 0 timestamp replies, 0 info request, 0 other

0 irdp solicitations, 0 irdp advertisements

0 time exceeded, 0 info replies

Sent: 0 redirects, 21552 unreachable, 0 echo, 982 echo reply

0 mask requests, 0 mask replies, 0 quench, 0 timestamp, 0 timestamp replies

0 info reply, 0 time exceeded, 0 parameter problem

0 irdp solicitations, 0 irdp advertisements

TCP statistics:

Rcvd: 35720 total, 0 checksum errors, 1354 no port

Sent: 35439 total

BGP statistics:

Rcvd: 0 total, 0 opens, 0 notifications, 0 updates

0 keepalives, 0 route-refresh, 0 unrecognized

Sent: 0 total, 0 opens, 0 notifications, 0 updates

0 keepalives, 0 route-refresh

IP-EIGRP statistics:

Rcvd: 0 total

Sent: 0 total

PIMv2 statistics: Sent/Received

Total: 824/0, 0 checksum errors, 0 format errors

Registers: 0/0 (0 non-rp, 0 non-sm-group), Register Stops: 0/0, Hellos: 824/0

Join/Prunes: 0/0, Asserts: 0/0, grafts: 0/0

Bootstraps: 0/0, Candidate_RP_Advertisements: 0/0

Queue drops: 0

State-Refresh: 0/0

IGMP statistics: Sent/Received

Total: 813/0, Format errors: 0/0, Checksum errors: 0/0

Host Queries: 406/0, Host Reports: 407/0, Host Leaves: 0/0

DVMRP: 0/0, PIM: 0/0

Queue drops: 0

UDP statistics:

Rcvd: 47631 total, 0 checksum errors, 47184 no port

Sent: 102 total, 0 forwarded broadcasts

OSPF statistics:

Rcvd: 0 total, 0 checksum errors

0 hello, 0 database desc, 0 link state req

0 link state updates, 0 link state acks

Sent: 0 total

0 hello, 0 database desc, 0 link state req

0 link state updates, 0 link state acks

ARP statistics:

Rcvd: 1036 requests, 136 replies, 0 reverse, 0 other

Sent: 2 requests, 26 replies (20 proxy), 0 reverse

Drop due to input queue full: 0

mohamednselim · ‎09-03-2012

Dear David

I tried to ping to the source its an unfamiliar ip for me. when i look it up its in Russia i guess i tried this

Living-in-internet-R#ping 46.164.194.79 size 1500 df-bit

Type escape sequence to abort.

Sending 5, 1500-byte ICMP Echos to 46.164.194.79, timeout is 2 seconds:

Packet sent with the DF bit set

MMMMM

Success rate is 0 percent (0/5)

and when i tried to ping from the cmd

C:\Users\Mohamed Selim>ping 46.164.194.79 -l 1500 -a -f

Pinging 46.164.194.79 with 1500 bytes of data:

Packet needs to be fragmented but DF set.

Ping statistics for 46.164.194.79:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

what can i do to solve the prob and i set the ip virtual-reasambly to 64 and i got this message

*Sep 3 06:49:26.655: %IP_VFR-4-FRAG_TABLE_OVERFLOW: FastEthernet0/1: the fragment table has reached its maximum threshold 64

*Sep 3 06:50:50.899: %IP_VFR-3-OVERLAP_FRAGMENTS: FastEthernet0/1: from the host 46.164.194.79 destined to ( MY internet router IP Address )

David Aicher · ‎09-07-2012

well you have two issues here.

IP_VFR-4-FRAG_TABLE_OVERFLOW

this is telling you a large number of ip fragments are coming in. again this may be normal or not in newer ios you can increase the max threshold beyond 64. make it something abnormally high like 512 or 1024 the message should stop. It isn't bad that you are receiving fragments, it could be something within your network or coming from somewhere else. fragments occur when a packet is sent that is larger than the egress MTU of an interface.

the second problem is a bit more of an issue

IP_VFR-3-OVERLAP_FRAGMENTS:

see this previous thread

https://supportforums.cisco.com/thread/203044

The router has encountered overlap fragments. "Overlap fragment" means that the offset of one fragment overlaps the offset of another fragment. For example, if the offset of the first fragment is 0 and its length is 800, the offset of the second fragments offset must be 800. If the offset of the second fragment is less than 800, the second fragment overlaps the first fragment. This condition might indicate a hostile attack.

Recommended Action: Configure a static ACL to prevent further overlap fragments from the sender.

WalterNL · ‎09-28-2017

Real situation is like a lot of small packets coming in ... like torrent who connect to a LOT of connections.

%IP_VFR-4-FRAG_TABLE_OVERFLOW: GigabitEthernet2: the fragment table has reached its maximum threshold 16

and

      666666666655555666666666688888888889999999999999999999999999
      333334444466666999999999933333777778888888888999999999999999
100                                    *************************
   90                               ******************************
   80                          ***********************************
   70                *********************************************
   60 ************************************************************
   50 ************************************************************
   40 ************************************************************
   30 ************************************************************
   20 ************************************************************
   10 ************************************************************
     0....5....1....1....2....2....3....3....4....4....5....5....6
               0    5    0    5    0    5    0    5    0    5    0
               CPU% per second (last 60 seconds)

going sky high....

BUT

network is acting totaly normal.Just a tiny slower.