Bug ID 499538: Fragmented ESP packets were getting dropped in BIG-IP with MTU = 576

Last Modified: Mar 12, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9

Opened: Jan 06, 2015
Severity: 3-Major

Symptoms

The issue was that the db variable tm.minipfragsize was set to 576 by default on the image 11.5.1-hf6. What this means is that BIG-IP will not process packets with payload length less than 576 bytes. When MTU is set to 576, the payload length will be 576 - ip header length (20 bytes typically). So the 576 bytes fragmented packets were getting dropped. The workaround for this issue is to set db variable value to 552 so that it passes the ip min size check.

Impact

Data traffic is not passing BIG-IP if ESP is fragmented.

Conditions

MTU set to 576 on the interface of an intermediate node before BigIP. The value of this db variable tm.minipfragsize set to anything greater than 552. Let ESP packets reach BIG-IP as fragmented with size 576 bytes. Then we will see the packet drops in BigIP

Workaround

Set the db variable tm.minipfragsize to 552 when the MTU is set to 576 on any node previous to BigIP.

Fix Information

None

Behavior Change