Bug ID 499538: Fragmented ESP packets were getting dropped in BIG-IP with MTU = 576

Last Modified: Oct 06, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9

Opened: Jan 06, 2015
Severity: 3-Major

Symptoms

The db variable tm.minipfragsize is set to 576 by default on the image 11.5.1-hf6. What this means is that BIG-IP system does not process packets with a payload length of less than 576 bytes. When MTU is set to 576, the payload length is 576. Because IP header length is 20 bytes typically, the BIG-IP system drops the 576 byte-fragmented packets. The workaround for this issue is to set the db variable value to 552 so that it passes the IP minimum size check.

Impact

There are packet drops on the BIG-IP system. Data traffic is not passing the BIG-IP system if ESP is fragmented.

Conditions

-- MTU set to 576 on the interface of an intermediate node before the BIG-IP system. The db variable tm.minipfragsize set to anything greater than 552. -- ESP packets reach the BIG-IP system as fragmented with size 576 bytes.

Workaround

Set the db variable tm.minipfragsize to 552 when the MTU is set to 576 on any node previous to the BIG-IP system.

Fix Information

None

Behavior Change