[c-nsp] CBAC and fragmented packets

Nikolay Shopik shopik at inblock.ru
Fri Feb 17 03:05:52 EST 2012


Victor,

Because UDP is a connectionless protocol, fragmented UDP packets will be 
dropped if they arrive at the destination out of order. And most common 
sense is switch to TCP.

And did you tried add "ip inspect name FOO fragment"?

On 17/02/12 09:04, Victor Sudakov wrote:
> Colleagues,
>
> I have searched the cisco-nsp archives and found similar topics but
> not much useful for my problem.
>
> Some UDP Kerberos responses arrive fragmented because they don't
> fit into the 1500 MTU. You can see a sample packet dump here:
> http://zalil.ru/32722730 (the non-initial fragments are in Frames 9
> and 22).
>
> As soon as I enable CBAC on the outside interface:
>
> interface Serial0/0
>   ip access-group DENY_ALL in
>   ip inspect FOO out
>
> those non-initial fragments stop arriving. I think CBAC does not
> create dynamic ACL entries for the fragments for some reason.
>
> Other return traffic (non-fragmented) arrives OK. If I permit fragments
> in the DENY_ALL access-list, the fragmented packets arrive OK (which
> is the workaround I currently use).
>
> Is it a misconfiguration, some known CBAC bug or what? Thank you in
> advance for any input.
>
> Cisco 2691, IOS 12.3(26)
>


More information about the cisco-nsp mailing list