Cisco ASA reporting teardrop between 2 PfSense IPSec VPN
-
Hello,
We use 2 PFsense (2.0.2) routers and a IPSec tunnel between them.
(agressive, AES-256, SHA1, DH2)Most of the time, there is almost no traffic in this tunnel.
But once a day, there is about 80 Mb/s traffic during 3-4 hours.On one end, our network provider has a Cisco ASA that report an teardrop attack while this traffic occurs.
Here is the error message :
Error Message : %ASA-2-106020
Explanation : The ASA discarded an IP packet with a teardrop
signature containing either a small offset or fragment overlapping.
This is a hostile event that circumvents the ASA or an Intrusion
Detection SystemWhat causes this problem and what can we do to correct it ?
Ask me for technical details if needed.
Thanks you for your help.
EDIT:
This is a Cisco ASA-5585-X version 8.4(5) -
Hello,
I can confirm that snort see this problem too : frag3: Number of overlappinping fragments exceed configured limit.
Do you know how to troubleshoot this ?
Thanks you
-
Setup MSS clamping on both sides of the tunnel (System > Advanced, Misc tab) to make sure that TCP connections are using properly sized packets and don't fragment much. A value such as 1400 would be a good place to start.
-
Hello,
Thanks for your advice. I changed this setting yesterday to 1400.
Today, Snort and the ASA are reporting the same error…(One side is connected by fiber directly to the backbone and the other side has a cable modem with docsis 3)
I don't really know what to do now...
