This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Panorama fragmentation

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Panorama fragmentation

Richard_M
L2 Linker

‎05-15-2023 03:49 AM

Hi,
If the checkbox for Fragmented traffic is uncheck, does that mean that the fw will not discard fragmented traffic? 

Richard_M_3-1684146287887.png

 

I have a case where someone says "10.154.74.0/23: We can not send from, or send to,  packages bigger than 1472. All ports are defined to 9216 bits. 10.154.74.17 and 10.154.74.34 can be pinged with big packages."

I checked the interface and it has an MTU size off 1500

 

Richard_M_2-1684146274804.png

 

With the setup shown, will it mean that the fw allows fragmentation, and will it do so in both directions? 
If it only allows it in one direction, is it possible to allow it in both direction? and if so, how do I do that? 

//Richard M
0 Likes Likes
2 REPLIES 2

kat3xx
L0 Member

‎05-16-2023 03:12 AM

If it's checked then you will drop all fragmented traffic, so you are correct.

 

Perhaps you need to enable jumboframes if you haven't done so already?

0 Likes Likes

Richard_M
L2 Linker
In response to kat3xx

‎05-17-2023 01:21 PM

Hi @kat3xx 
Thank you for your answer. I checked the jumboframe and it was already enabled. 

I got some more info.
There are two situations. One where it works and one where it don`t work:
The source is the same but the destionation address is different and is in two differente DC. There exists opening for both secenarios.

Situation 1:
The src and dst address is in the same DC and the traffic only need to go through one zone and one fw. In this case, everything works as intended.

Situation 2:
The src and dst address is in two different DC`s and the traffic goes through three zones. In this case the fragmentet traffic is not received at the dst.

From what I can see from the traffic log, the traffic is allowed in both situations, but is there someway to see if fragmented traffic is going through in some way or is it enough to see that the traffic is allowed in the traffic log? 

They also did some ping where should have issued a ping with up to 1472 packets (if you can say it like that) and it went through, but if they issued a ping from 1473 and above it didn`t work. Does this give any sense? 

Is there something else I should check?
I am not sure if this is a fw issue or not.

//Richard M
0 Likes Likes
  • 1119 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks