Guest

Preview Tool

Cisco Bug: CSCun88736 - ASA does not recognise "packet too big" for assembled ICMPv6 echo reply

Last Modified

Apr 16, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.1(4)

Description (partial)

Symptom:
When ASA receives fragmented ICMPv6 echo requests, which are fragmented for passing a minimum MTU link over a traffic path, from a client, ASA reassembles these packets to original data. After that, ASA sends ICMPv6 echo reply with original data size to the client. Because this reply packet size is larger than MTU size over the traffic path, upstream router replies "Packet too big"(Type=2) message to ASA. ASA drops this "Packet too big" message by the reason of "%ASA-4-313005: No matching connection for ICMP error message". As a result, the client does not able to receive a ICMPv6 echo reply from the ASA, and client ICMPv6 connection will be timeout.

Conditions:
1. Client uses larger MTU than a minimum MTU over traffic path 
2. Client sends large data size ICMPv6 echo request to ASA, and this packet is fragmented

## Network Diagram Example ####

  [ASA]----MTU1500----[Router]----MTU1300----[Router]----MTU1500----[Client]
    :                                                                   :
    :  <- - - - - - - - 1400bytes ICMPv6 Echo Request - - - - - - - - - :
    :                                                                   :
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.