[c-nsp] ip virtual-reassembly

Michael Markstaller mm at elabnet.de
Tue Oct 25 14:41:53 EDT 2005 

To comment on stability, I had to disable it up to & including 12.3(14)T but since 12.4 it doesn't seem to cause big problems anymore..

Michael

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of John Ferlito
> Sent: Tuesday, October 25, 2005 1:21 AM
> To: Dave Temkin
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] ip virtual-reassembly
> 
> On Mon, Oct 24, 2005 at 11:35:56AM -0400, Dave Temkin wrote:
> > Is anyone aware why this was added in more recent (12.3T) 
> IOS versions?
> > Was this a feature that was enabled behind the scenes 
> before and they just
> > added a command for it, or is it new functionality?  It now 
> gets put on an
> > interface that you place "ip nat inside" or ""outside"  on
> > 
> > 
> > All of the documentation I can find makes it sound like you 
> only need it
> > if you're doing NAT and CBAC or IOS Firewall together, and 
> not just NAT by
> > itself.  I see it causing about a 15% performance hit if I leave it
> > enabled.
> 
> I turn it off on all our customer CPE as it tends to cause issues with
> reordered fragments. 
> 
> If you receive fragment 2 first the router marks this as being from
> public to public since it has no TCP header to reference. The 
> first fragment then
> comes in and gets marked as being from public to private. The two
> fragments then never get put back together as it looks like they are
> from different packets.
> 
> You would think this wouldn't be a huge problem but we were seeing
> sites that were consistently doing the above. 
> 
> There is a document in the TAC that explains why the above happens,
> can't find it at the moment. I suppose if the reassembly happened and
> then the packet got pushed through the NAT code it would fix the
> problem but maybe thats not possible.
> 
> -- 
> John Ferlito
> Director
> Beagle Internet
> ph:  +61 (0) 2 9808 2547
> fax: +61 (0) 2 9877 5355
> mob: +61 (0) 410 519 382
> http://www.beagle.com.au/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list