[c-nsp] CBAC and fragmented packets
Victor Sudakov
vas at mpeks.tomsk.su
Fri Feb 17 03:35:21 EST 2012
Nikolay Shopik wrote:
>
> Because UDP is a connectionless protocol, fragmented UDP packets will be
> dropped if they arrive at the destination out of order.
Did you look at the packet dump I provided? What makes you think they
arrived out of order?
I guess CBAC may be closing the UDP "session" prematurely on seeing
only the first fragment, but it's just a guess. I am trying to
"debug ip inspect udp" but there are way to many "sessions".
> And most common sense is switch to TCP.
This workaround will require editing the registry on all the Windows
boxes in the domain. This can be done but very reluctantly.
> And did you tried add "ip inspect name FOO fragment"?
Yes I did, and it does not change anything. And there is no
"ip virtual reassembly" in this version of IOS.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru
More information about the cisco-nsp
mailing list