[c-nsp] ICMP unreachable packets handling on IOS firewall (Zone-based not CBAC)

[Anthony GUENEAU]

Hello,

Forget about it. I solved the issue by clamping the TCP MSS (maximum segment
size) to 1200 bytes on packets flowing through the corresponding router
interfaces.
I used the following command in config-int: ip tcp adjust-mss 1200.
This trick prevent IP fragmentation along the path by forcing senders to
reduce their TCP MSS and so the MTU. Now the MTU=1240
Anyway, for your information, I got the confirmation the IOS firewalls do
ignore ICMP unreachable packets!

Thanks anyway!

Regards,
Anthony GUENEAU
 

-----Original Message-----
From: junior [mailto:drrtuy at ya.ru] 
Sent: mercredi 29 avril 2009 11:09
To: Anthony GUENEAU
Subject: Re: [c-nsp] ICMP unreachable packets handling on IOS firewall
(Zone-based not CBAC)

Hello.

> I recently configured a Cisco 3825 router with the IOS firewall, running
> Zone-based Policy Firewall feature.
> 
> I'm experiencing the following issue:
> 
> ICMP unreachable packets, with code 4 (Fragmentation required, and DF flag
> set), passing through the fw-router are properly processed at the router
> layer (watched with debug ip packet) BUT seem to be completely ignored at
> the firewall/inspection layer! No match, no logging.

Can You share the IOS acl?

> Is it a regular behavior on IOS firewall ? If yes, I would like to know
how
> to work around this issue.
> 
> Indeed, because of that, ICMP unreachable packets do not reach the initial
> sender (asking him to fragment) and some TCP flows passing through the
> fw-router hang.

What are You trying to achieve actually?

> Any help would be very welcome J 

WBR
Roman A. Nozdrin

> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>