Cisco Bug: CSCum63417 - ASA should not allow interface MTU config greater than 9202/9198
Apr 16, 2020
- Cisco ASA 5500-X Series Firewalls
Known Affected Releases
Symptom: The ASA allows an interface MTU configuration of up to 65535: ciscoasa(config)# mtu outside ? configure mode commands/options: <64-65535> MTU bytes However, per the ASA command reference, the maximum allowed size of a jumbo frame is 9216: http://www.cisco.com/en/US/docs/security/asa/command-reference/jk.html#wp1633967 "A jumbo frame is an Ethernet packet larger than the standard maximum of 1518 bytes (including Layer 2 header and FCS), up to 9216 bytes." As a result, if a user sets the MTU to something higher than 9202 on a physical interface or 9198 on a sub-interface, packets are dropped by the ASA when the L2 header (and 802.1q tag if applicable) is added. Conditions: These drops occur if the MTU is set to a value greater than 9202 on a physical interface or 9198 on a sub-interface.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases