[Date Prev][Date Next][Thread Prev][Thread Next][Thread Index]

Re: [fw1-gurus] Virtual defragmentation error: fragment table is full

On Fri, Feb 27, 2009 at 2:34 AM, System Administrator <[email protected]> wrote:
> We use Checkpoint FW1 R55 with ai in a cluster with rainwall.
> The data throughput betweet the DMZ is very slow for the last day.
> In one of the nodes is get the following error.
> -------------------------------------------------------------------------------
> FW-1: Virtual defragmentation error: fragment table is full (xxx.xxx.xxx.xxx ->
> xxx.xxx.xxx.xxx proto 17 id 26458 len 1500 offset 17760) - 353232 fragments
> dropped during the last 60 seconds
> -------------------------------------------------------------------------------

Normally, VPN-1 receives a packet and makes a determination about
whether or not to pass it. In the case of a fragmented packet, there
isn't enough information in the packet to determine whether or not to
actually pass it. What VPN-1 does is attempts to assemble all the
received packet fragments in memory prior to making a decision.

Legitimate traffic is rarely fragmented, though you may see it in
situations where different network paths have different MTUs or when
large packets traverse a VPN (in the latter case, it is caused by
IPSec packet overhead). If you see a large number of packet fragments
(and thus this errors), it is either because someone is maliciously
trying to send you a lot of fragmented packets or you have a
rogue/misconfigured/compromised machine on your network.

-- PhoneBoy
fw1-gurus mailing list
[email protected]