[c-nsp] ICMP unreachable packets handling on IOS firewall (Zone-based not CBAC)
Anthony GUENEAU
anthony.gueneau at gmail.com
Wed Apr 29 15:24:43 EDT 2009
Hello,
Forget about it. I solved the issue by clamping the TCP MSS (maximum segment
size) to 1200 bytes on packets flowing through the corresponding router
interfaces.
I used the following command in config-int: ip tcp adjust-mss 1200.
This trick prevent IP fragmentation along the path by forcing senders to
reduce their TCP MSS and so the MTU. Now the MTU=1240
Anyway, for your information, I got the confirmation the IOS firewalls do
ignore ICMP unreachable packets!
Thanks anyway!
Regards,
Anthony GUENEAU
-----Original Message-----
From: junior [mailto:drrtuy at ya.ru]
Sent: mercredi 29 avril 2009 11:09
To: Anthony GUENEAU
Subject: Re: [c-nsp] ICMP unreachable packets handling on IOS firewall
(Zone-based not CBAC)
Hello.
> I recently configured a Cisco 3825 router with the IOS firewall, running
> Zone-based Policy Firewall feature.
>
> I'm experiencing the following issue:
>
> ICMP unreachable packets, with code 4 (Fragmentation required, and DF flag
> set), passing through the fw-router are properly processed at the router
> layer (watched with debug ip packet) BUT seem to be completely ignored at
> the firewall/inspection layer! No match, no logging.
Can You share the IOS acl?
> Is it a regular behavior on IOS firewall ? If yes, I would like to know
how
> to work around this issue.
>
> Indeed, because of that, ICMP unreachable packets do not reach the initial
> sender (asking him to fragment) and some TCP flows passing through the
> fw-router hang.
What are You trying to achieve actually?
> Any help would be very welcome J
WBR
Roman A. Nozdrin
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list