Virtual Defragmentation

[lengoo]

Dear All,
We have two sites connected via a VPN link. One side of the firewall (my side) is using the Checkpoint software on a Nokia box and the other side have been using the Lucent Brick system.
I have been getting the following errors:

Virtual defragmentation erro: Timeout (x.x.x.x ->x.x.x.x proto 50 id 47783 len 0 offset 0) - 68 fragments dropped during the last 60 seconds

I am getting this every time I am transferring large bits of information between our sites. This slows our network down dramatically and when sending multiple files, we find that files are not always transferred over.
I have been researching the web and found that it could be related to MTU sizes of the packets. Does anyone have any comments regarding this and procedures which we could implement to fix this.

Many thanks for your help

 

[Guest_imported]

Not sure if it's doable, but have you tried changing the MTU size on the Lucent Brick system?

I am having the same issue w/ my Checkpoint to sonicwall Soho vpn's. Take a look at my posting "Checkpoint VPN to Sonicwall kerberos failure" for more ideas, as I listed some things we tried, but no luck.

Best of luck,

C

 

[lengoo]

Hello Cyndra,
Thanks for your reply. However, I have been unable to find your previous post.. could you point me in the right direction?
We have found out that the main reason for the high number of dropped packets is due to the fact that we are experiencing packet loss between the VPN link, we found this by doing traceroutes.
Also, I got some info from our network providers to counter this, I enclose it below:

"
This happens on FireWall-1 when packets are received that require fragmentation, but FireWall-1 is not able to process them.

FireWall-1 will take fragmented packets and attempt to re-assemble them "in-memory" to determine whether or not the packet passes the security policy or not. If it does, it processes it accordingly but sends it out as it was received: fragmented (thus the term "Virtual Defragmentation&quot.

If FireWall-1 receives too many packet fragments or does not receive all fragments within a certain period of time, then FireWall-1 drops the packets. The limits can be changed with the following additions/modifications to objects.C under the rops()section. "

The Checkpoint recommended solution is to increase the timeout on defragmentation as follows:

Add the following line to objects.C file in the props section as described below.

:fwfrag_timeout (90)


Before editing the objects.C file we would recommend you backup the firewall. To edit the objects.C file do the following:

1. The objects.C file should be configured on the VPN-1/FireWall-1 Management Module only.

2. Before configuring the objects.C file:
- Close all VPN-1/FireWall-1 GUI clients
- Stop the Management Module using the fwstop command
- Delete the files objects.C.sav and objects.C.bak

3. Backup the original objects.C to another partition or folder.

4. Make the desired changes to the objects.C file by editing the $FWDIR/conf/objects.C file using a basic text editor, such as Notepad or vi. Do not use a word processor.

ensure you add the new line into the 'props' section as shown....
---------------------------------------------------
rops (
:fwfrag_timeout (90)
---------------------------------------------------

5. Save the changes to the objects.C file

6. Restart the Management Module using the fwstart command and verify that the change you made is saved.

7. Install the Security Policy.


Regards
Alan Lee