Preview Tool

Cisco Bug: CSCta93129 - VFR does not work on VPN traffic when ipsec & inner packet is fragmented

Last Modified

Jan 31, 2017

Products (1)

  • Cisco IOS

Known Affected Releases

12.4(15)T9 12.4(20)T3

Description (partial)

Symptoms: An IP fragment may bypass virtual fragment reassembly (VFR) 
  processing and create a VFR timeout, causing additional inner IP fragments 
 to be dropped.
  Conditions: This symptom is observed when encrypted IPSEC packets are 
 fragmented by the remote device (fragmentation after encryption) or 
 in  the network between the VPN termination routers. When the fragmented 
 IPSEC packets are reassembled and decrypted, if the decrypted inner packet 
 also an IP fragment, the IP fragment bypasses VFR processing. The following 
 conditions may cause this symptom to occur:
  1) VFR is enabled on the decryption side
  2) Fragmentation happens after encryption on the encrypting router, or in 
 the path
  3) The inner IP packet is fragmented when received by the encrypting router.
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.