Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Edit IPsec Pre-Fragmentation Policy

68-19

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter68 Configuring IKE, Load Balancing, and NAC

Configuring IPsec

For example, suppose a client wants to FTP get from an FTP server behind a ASA. The FTP server

transmits packets that when encapsulated would exceed the ASA’s MTU size on the public interface.

The selected options determine how the ASA processes these packets. The pre-fragmentation policy

applies to all traffic travelling out the ASA public interface.

The ASA encapsulates all tunneled packets. After encapsulation, the ASA fragments packets that exceed

the MTU setting before transmitting them through the public interface. This is the default policy. This

option works for situations where fragmented packets are allowed through the tunnel without hindrance.

For the FTP example, large packets are encapsulated and then fragmented at the IP layer. Intermediate

devices may drop fragments or just out-of-order fragments. Load-balancing devices can introduce

out-of-order fragments.

When you enable pre-fragmentation, the ASA fragments tunneled packets that exceed the MTU setting

before encapsulating them. If the DF bit on these packets is set, the ASA clears the DF bit, fragments

the packets, and then encapsulates them. This action creates two independent non-fragmented IP packets

leaving the public interface and successfully transmits these packets to the peer site by turning the

fragments into complete packets to be reassembled at the peer site. In our example, the ASA overrides

the MTU and allows fragmentation by clearing the DF bit.

Note Changing the MTU or the pre-fragmentation option on any interface tears down all existing connections.

For example, if 100 active tunnels terminate on the public interface, and you change the MTU or the

pre-fragmentation option on the external interface, all of the active tunnels on the public interface are

dropped.

Fields

•Pre-Fragmentation—Shows the current pre-fragmentation configuration for every configured

interface.

–

Interface—Shows the name of each configured interface.

–

Pre-Fragmentation Enabled—Shows, for each interface, whether pre-fragmentation is

enabled.

–

DF Bit Policy—Shows the DF Bit Policy for each interface.

•Edit—Displays the Edit IPsec Pre-Fragmentation Policy dialog box.

Modes

The following table shows the modes in which this feature is available:

Edit IPsec Pre-Fragmentation Policy

Use this pane to modify an existing IPsec pre-fragmentation policy and do-not-fragment (DF) bit policy

for an interface selected on the parent pane, Configuration> VPN > IPsec > Pre-Fragmentation

Fields

•Interface—Identifies the chosen interface. You cannot change this parameter using this dialog box.

Firewall Mode Security Context

Routed Transparent Single

Multiple

Context System

•—•——

Cisco Systems Edit IPsec Pre-Fragmentation Policy

Models: ASA 5510 ASA 5512-X ASA 5515-X ASA 5520 ASA 5525-X ASA 5540 ASA 5545-X ASA 5550 ASA 5555-X ASA 5580 ASA 5585-X ASA 5505