Cisco Bug: CSCta93129 - VFR does not work on VPN traffic when ipsec & inner packet is fragmented
Jan 31, 2017
- Cisco IOS
Known Affected Releases
Symptoms: An IP fragment may bypass virtual fragment reassembly (VFR) processing and create a VFR timeout, causing additional inner IP fragments to be dropped. Conditions: This symptom is observed when encrypted IPSEC packets are fragmented by the remote device (fragmentation after encryption) or somewhere in the network between the VPN termination routers. When the fragmented IPSEC packets are reassembled and decrypted, if the decrypted inner packet is also an IP fragment, the IP fragment bypasses VFR processing. The following conditions may cause this symptom to occur: 1) VFR is enabled on the decryption side 2) Fragmentation happens after encryption on the encrypting router, or in the path 3) The inner IP packet is fragmented when received by the encrypting router.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases