Filter
Top Products
34-16
Cisco ASDM User Guide
OL-16647-01
Chapter 34 IKE
IPsec
–
Time Range—Specify the name of an existing time range or create a new range.
–
... —Displays the Add Time Range pane, on which you can define a new time range.
–
Please enter the description below (optional)—Provides space for you to enter a brief
description of the rule.
Modes
The following table shows the modes in which this feature is available:
Pre-Fragmentation
Use this panel to set the IPsec pre-fragmentation policy and do-not-fragment (DF) bit policy for any
interface.
The IPsec pre-fragmentation policy specifies how to treat packets that exceed the maximum transmission
unit (MTU) setting when tunneling traffic through the public interface. This feature provides a way to
handle cases where a router or NAT device between the security appliance and the client rejects or drops
IP fragments. For example, suppose a client wants to FTP get from an FTP server behind a security
appliance. The FTP server transmits packets that when encapsulated would exceed the security
appliance’s MTU size on the public interface. The selected options determine how the security appliance
processes these packets. The pre-fragmentation policy applies to all traffic travelling out the security
appliance public interface.
The security appliance encapsulates all tunneled packets. After encapsulation, the security appliance
fragments packets that exceed the MTU setting before transmitting them through the public interface.
This is the default policy. This option works for situations where fragmented packets are allowed through
the tunnel without hindrance. For the FTP example, large packets are encapsulated and then fragmented
at the IP layer. Intermediate devices may drop fragments or just out-of-order fragments. Load-balancing
devices can introduce out-of-order fragments.
When you enable pre-fragmentation, the security appliance fragments tunneled packets that exceed the
MTU setting before encapsulating them. If the DF bit on these packets is set, the security appliance
clears the DF bit, fragments the packets, and then encapsulates them. This action creates two
independent non-fragmented IP packets leaving the public interface and successfully transmits these
packets to the peer site by turning the fragments into complete packets to be reassembled at the peer site.
In our example, the security appliance overrides the MTU and allows fragmentation by clearing the DF
bit.
Note Changing the MTU or the pre-fragmentation option on any interface tears down all existing connections.
For example, if 100 active tunnels terminate on the public interface, and you change the MTU or the
pre-fragmentation option on the external interface, all of the active tunnels on the public interface are
dropped.
Firewall Mode Security Context
Routed Transparent Single
Multiple
Context System
• — • ——