Guest

Preview Tool

Cisco Bug: CSCus63115 - ASA drops packet-too-big when icmp inspection is on (traffic thru ASA)

Last Modified

Jul 11, 2018

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.1(5)

Description (partial)

Symptom:
Client---A---U21----B----U22---4900 M2---C---5506-3-----inside ASA ---D---outside Router(see attached diagram)

1. Lowered mtu between U21 and U22 to 1300.
2. Pinged from the Client to the outside router with mtu of 1200.
Packets are not fragmented and ping is successful.
Verified with the 'debug icmp trace' command on the ASA, 'show log' on the ASA  and captures on the inside and outside interfaces of the ASA that the connection is allowed. 
3. Pinged from the Client to the outside router with mtu of 1400.
Packets are fragmented and ping fails.
Verified with the 'debug icmp trace' command on the ASA, 'show log' on the ASA and captures on the inside and outside interface of the ASA that the ASA drops the packet-too-big icmp packet.

Conditions:
This happens when the icmp inspection is enabled.
If we disable it the packet goes through.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.