Cisco ASA reporting teardrop between 2 PfSense IPSec VPN

  • Hello,

    We use 2 PFsense (2.0.2) routers and a IPSec tunnel between them.
    (agressive, AES-256, SHA1, DH2)

    Most of the time, there is almost no traffic in this tunnel.
    But once a day, there is about 80 Mb/s traffic during 3-4 hours.

    On one end, our network provider has a Cisco ASA that report an teardrop attack while this traffic occurs.

    Here is the error message :

    Error Message : %ASA-2-106020
         Explanation : The ASA discarded an IP packet with a teardrop
         signature containing either a small offset or fragment overlapping.
         This is a hostile event that circumvents the ASA or an Intrusion
         Detection System

    What causes this problem and what can we do to correct it ?

    Ask me for technical details if needed.

    Thanks you for your help.

    This is a Cisco ASA-5585-X version 8.4(5)

  • Hello,

    I can confirm that snort see this problem too : frag3: Number of overlappinping fragments exceed configured limit.

    Do you know how to troubleshoot this ?

    Thanks you

  • Rebel Alliance Developer Netgate

    Setup MSS clamping on both sides of the tunnel (System > Advanced, Misc tab) to make sure that TCP connections are using properly sized packets and don't fragment much. A value such as 1400 would be a good place to start.

  • Hello,

    Thanks for your advice. I changed this setting yesterday to 1400.
    Today, Snort and the ASA are reporting the same error…

    (One side is connected by fiber directly to the backbone and the other side has a cable modem with docsis 3)

    I don't really know what to do now...