Guest

Preview Tool

Cisco Bug: CSCun76930 - IPS: Fragment Reassembly Delay Can Trigger Sig 1208.0 and Drop Fragments

Last Modified

Jul 21, 2016

Products (11)

  • Cisco IPS 4200 Series Sensors
  • Cisco ASA 5555-X IPS Security Services Processor
  • Cisco IPS 4345 Sensor
  • Cisco ASA 5525-X IPS Security Services Processor
  • Cisco IPS 4520 Sensor
  • Cisco ASA 5545-X IPS Security Services Processor
  • Cisco IPS 4510 Sensor
  • Cisco ASA 5515-X IPS Security Services Processor
  • Cisco IPS 4360 Sensor
  • Cisco ASA 5585-X IPS Security Services Processor
View all products in Bug Search Tool Login Required

Known Affected Releases

7.1(1)E4 7.1(2)E4 7.1(3)E4 7.1(4)E4 7.1(5)E4 7.1(6)E4 7.1(7)E4 7.1(8)E4 7.2(1)E4 7.2(2)V 7.3(1)C 7.3(2)C

Description (partial)

Symptom:
Inspected IP fragments being denied/dropped (unexpectedly). The 'show statistics virtual-sensor' command output (included in a 'show tech' meta-command output) will display the associated limit (1,000 by-default) being reached while this problem is being experienced. Example:

 Fragment Reassembly Unit Statistics for this Virtual Sensor
  Number of datagrams currently in FRU = 1000 <--NOTE

And, signature 1208.0 will be being triggered. Example:

 Per-Signature SigEvent count since reset
  Sig 1208.0 = 131072 <--THIS VALUE WILL BE INCREMENTING (DEPICTED BY RE-RUNNING THE COMMAND AND COMPARING THE OUTPUTS' VALUES)


In that same command output, the following counter will be non-zero (!= 0) if this issue is being or has been encountered (since the last time the IPS was reset). Example:

  Fragments hitting the max partial datagrams limit since last reset = 1,310 <--NOTE

Conditions:
IPS sensor device running an affected version of software inspecting fragmented IP traffic.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.