Cisco Bug: CSCus63115 - ASA drops packet-too-big when icmp inspection is on (traffic thru ASA)
Jul 11, 2018
- Cisco ASA 5500-X Series Firewalls
Known Affected Releases
Symptom: Client---A---U21----B----U22---4900 M2---C---5506-3-----inside ASA ---D---outside Router(see attached diagram) 1. Lowered mtu between U21 and U22 to 1300. 2. Pinged from the Client to the outside router with mtu of 1200. Packets are not fragmented and ping is successful. Verified with the 'debug icmp trace' command on the ASA, 'show log' on the ASA and captures on the inside and outside interfaces of the ASA that the connection is allowed. 3. Pinged from the Client to the outside router with mtu of 1400. Packets are fragmented and ping fails. Verified with the 'debug icmp trace' command on the ASA, 'show log' on the ASA and captures on the inside and outside interface of the ASA that the ASA drops the packet-too-big icmp packet. Conditions: This happens when the icmp inspection is enabled. If we disable it the packet goes through.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases