Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
368
Views
0
Helpful
2
Replies

PIX breaking fragmented packets over IPSec tunnel

ltwomey
Level 1
Level 1

‎03-12-2003 06:33 AM - edited ‎02-21-2020 12:24 PM

I have a PIX 6.2(2) configured to establish an IPSec tunnel (3DES/SHA) to a Checkpoint firewall. Tunnel comes up, traffic flows properly most of the time. However, if a client on the PIX LAN generates a fragmented UDP packet, the PIX passes the first fragment over the VPN successfully but the second fragment appears at the far side as two separate (un-fragmented) UDP packets with "random" source and destination ports and much larger number of bytes than the original fragmented packet (on subsequent fragmented UDP packets the first fragment arrives at the far side but subsequent fragments never appear). Fragmented packets generated by the remote (non-PIX) site are handled correctly by the firewalls.

While testing this, I disabled the VPN, and the fragmented packets arrived successfully at the remote site, so this problem seems to be related to the encryption of the packets by the PIX. The PIX is not configured to drop fragmented packets. Dropping the VPN to use DES/MD5 had no effect.

Is anyone aware of any problems with handling fragmented packets in PIX v6.2(2), or is there a setting that I haven't managed to find that may affect this?

Thanks in advance,

Louis Twomey.

Labels:
0 Helpful
2 Replies 2

afakhan
Level 4
Level 4

‎03-13-2003 02:59 PM

Hi,

I couldn't find any known bug for this issue on PIX 6.2.2, where pix can't enrypt the udp fragments, and sends out in cleartext.

What abt lowering down MTU on those servers(or by PIX) sitting behind the PIX to avoid fragmentation as the work-around.

Thanks,

Afaq

0 Helpful

ltwomey
Level 1
Level 1
In response to afakhan

‎03-18-2003 02:30 AM

Hi Afaq,

Thanks for the response. It turns out that the problem was the Checkpoint end of the VPN link. The PIX was successfully encrypting the packets, but the Checkpoint (NG FP1) was not decrypting the second (and subsequent) fragments correctly. Upgrading to Checkpoint NG FP2 solved the problem. This problem never arose on a Checkpoint NG FP1 to Checkpoint NG FP1 VPN link, which suggests that the Checkpoint does not like the fragmented packets as encrypted by the PIX - the fact that the problem does not occur in NG FP2 suggests that this was a bug in NG FP1 rather than a problem with the PIX.

Regards,

Louis.

0 Helpful
Customers Also Viewed These Support Documents