Check Point firewall drops fragmented traffic with "Virtual defragmentation error"

book

Article ID: 167824

calendar_today

Updated On:

Products

XOS

Issue/Introduction

This article describes a possible solution for an issue in which a Check Point firewall drops legitimate fragmented traffic.Fragmented traffic is dropped and a message similar to the following is reported in the logs and debug information:

Virtual defragmentation error: Timeout

Cause

Problem:

Fragment handling can be affected by the following settings.

1.  The Check Point firewall internally reassembles fragmented packets before it enforces the policy. The mechanism waits for the configured time period and then deletes the record if no other associated fragments arrive. Fragmented packets that cannot be reassembled within the configured time period are dropped. The default timeout is 1 second.

2.  To protect system resources, the Check Point firewall limits the total number of fragmented packets allowed. The default number of fragmented packets allowed is 200.

To determine the current timeout and maximum number of fragmented packets allowed on your gateway, run the following command on the VAP:


fw tab -t frag_table

-------- frag_table --------
dynamic, id 8184, attributes: expires 1, limit 200, hashsize 512, free function 963fe5a8 0

In the example above, the default values are in effect.

Resolution

To resolve this issue, you can increase the timeout and maximum number of incomplete packets allowed in Check Point SmartCenter and apply the policy to your gateway.

Under the IPS section, open Protections >  By Type > IP fragments, and then edit your IPS profile to increase one or both limits.


User-added image

NOTE:  This protection is enabled on your gateway even when IPS is not enabled.



Workaround

N/A

Attachments