[nsp] Problem with fragmented packets on 6506...

[Iva Cabric]

Hello,
I have discovered problem on Catalyst 6506 (with Native IOS), which
affects fragmented packets (only UDP and TCP packets, ICMP are passing
fine). IOS is 12.1(13)E3, and map looks like this:

  ----------------            -------------            --------------
 |backbone routers| (VLAN 4) |Catalyst 6506| (VLAN 2) |access servers|
  ----------------            -------------            --------------

In one VLAN (id 4) are connected two backbone routers, and in other
VLAN (id 2) are connected access servers. When I connect via dial-up
to one of access servers and generate TCP od UDP traffic which is
fragmented (first fragment with DF = 0 and MF = 1, and second DF = 0,
MF = 0) only first fragment goes through 6506 and is seen on ingress
interface of backbone router.

I have put an outbound access list on Vlan4 which counts normal packets
and fragments, and it reports that both are passed through but inbound
access list on backbone router reports that only first fragments from
packets are coming in. Also, same thing happens with server in VLAN 4.
when looking with tcpdump (first fragment comes, but others are missing). 
Server also generates "icmp: ip reassembly time exceeded", which is fine
because he never received second fragment.

When some other VLAN (except VLAN 4) is used as source or destination
everything works fine. And they all have similar configurations.

Problem was first noticed with IPSec dial-up clients, when they couldn't
make connections to VPN concentrators, because ISAKMP packets (UDP 500,
length > 576 bytes) couldn't pass through.

Is this problem known to someone else or should I contact TAC?