Victor Sudakov wrote:
> As soon as I enable CBAC on the outside interface:
>
> interface Serial0/0
> ip access-group DENY_ALL in
> ip inspect FOO out
>
> those non-initial fragments stop arriving. I think CBAC does not
> create dynamic ACL entries for the fragments for some reason.
This must
Nikolay Shopik wrote:
>
> Because UDP is a connectionless protocol, fragmented UDP packets will be
> dropped if they arrive at the destination out of order.
Did you look at the packet dump I provided? What makes you think they
arrived out of order?
I guess CBAC may be closing the UDP "session"
Victor,
Because UDP is a connectionless protocol, fragmented UDP packets will be
dropped if they arrive at the destination out of order. And most common
sense is switch to TCP.
And did you tried add "ip inspect name FOO fragment"?
On 17/02/12 09:04, Victor Sudakov wrote:
Colleagues,
I have
Colleagues,
I have searched the cisco-nsp archives and found similar topics but
not much useful for my problem.
Some UDP Kerberos responses arrive fragmented because they don't
fit into the 1500 MTU. You can see a sample packet dump here:
http://zalil.ru/32722730 (the non-initial fragments are i
