[c-nsp] CBAC and fragmented packets
Victor Sudakov
vas at mpeks.tomsk.su
Fri Feb 17 00:04:57 EST 2012
Colleagues,
I have searched the cisco-nsp archives and found similar topics but
not much useful for my problem.
Some UDP Kerberos responses arrive fragmented because they don't
fit into the 1500 MTU. You can see a sample packet dump here:
http://zalil.ru/32722730 (the non-initial fragments are in Frames 9
and 22).
As soon as I enable CBAC on the outside interface:
interface Serial0/0
ip access-group DENY_ALL in
ip inspect FOO out
those non-initial fragments stop arriving. I think CBAC does not
create dynamic ACL entries for the fragments for some reason.
Other return traffic (non-fragmented) arrives OK. If I permit fragments
in the DENY_ALL access-list, the fragmented packets arrive OK (which
is the workaround I currently use).
Is it a misconfiguration, some known CBAC bug or what? Thank you in
advance for any input.
Cisco 2691, IOS 12.3(26)
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru
More information about the cisco-nsp
mailing list