Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2008
  • Last Modified:

Enabling IP Fragmention on CIsco ASA IPSEC VPN Tunnel

I have a IPSEC VPN tunnel between a ASA-5505 and a 891 router. When I attempt to transmit security camera video over the IPSEC tunnel, I get Syslog ID error 106020 - Denying IP teardrop fragment. This results in my video stream being cancelled.

I have tried

ip audit signature 1103 disable

with no luck, to disable the inspection. What I would like to do, is disable the inspection of any traffic on  the tunnel, or at bare minimum disable the fragmention inspection on the WAN of the ASA. Please advise as to the best mehtod of disabling that inspection, and dealing with fragmentation from Unix and camera hosts.

Regards.
0
aalbert69
Asked:
aalbert69
  • 4
  • 2
1 Solution
 
Nothing_ChangedCommented:
Is your camera inside one ASA on one side of the tunnel, and your server inside the other side? if so, don't disable that outside, it's a good protection layer. Can you please paste in a syslog message? We should be able to disable that inspection more granularly, to preserve your securtity but still make your connection work.



0
 
aalbert69Author Commented:
The Cameras consist of  8 Axis  IP cameras behind the 891 router, plus 1 linux based DVR, that also  streams video.... In addition we have a lighting control system, and other things, but those seem to be working fine over the VPN. I will have to go onsite, to get the syslog messages.

Regards.

0
 
Nothing_ChangedCommented:
Are you using tcp or udp as a transport protocol? The Axis documentation shows both protocols.
0
Big Data Means Big Business

In data-dependent industries like IT, finance, and healthcare, there’s a growing demand for qualified analysts to fill leadership roles. WGU’s MS in Data Analytics has IT certifications from Oracle and SAS built into its curriculum at a flat fee that could save you money.

 
Nothing_ChangedCommented:
When you do a "show asp drop" are your flow drops or frame drops incrementing with the reason of "security-failed" ?
0
 
Nothing_ChangedCommented:
Just checked more, it is only a frame drop that drops a teardrop signature...

If this is your problem for certain, you should see "show asp drop frame security-failed" incrementing on every stream fail.
0
 
aalbert69Author Commented:
Never fully resolved ... But A for effort
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now