This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Rccou
Participant
‎2020-03-05 04:59 AM
Jump to solution

Fragment Reassembly Time Exceeded Errors

I have 2 RADIUS servers that are trying to talk to each other through a Checkpoint R80.30 ClusterXL.

It seems to be failing with a lot of errors in the logs saying "Fragment_time_exceeded" traffic dropped.

I have tried to allow all ICMP between the end clients but there is no PMTUD taking place and there doesn't seem to be a way to enable this traffic to fragment and reassemble without failing with these errors.

We have all the latest hotfixes required.  Is there a reason for this?

errors.JPG

1 Solution

Accepted Solutions
Ilya_Yusupov
Employee
Employee
‎2020-03-08 12:31 AM
In response to RCCO
Jump to solution

it should be done via guidbedit and then push policy, see attached icmperrors.JPG

 

if you did it and still have an issue i suggest to open TAC case.

View solution in original post

4 Replies
G_W_Albrecht
Legend
Legend
‎2020-03-05 05:40 AM
Jump to solution

If this was a connection using VPN i would have cried MTU, MTU! But this looks different. Maybe still the following can help: sk98074: MTU and Fragmentation Issues in IPsec VPN

CCSE CCTE CCSM SMB Specialist
0 Kudos
Ilya_Yusupov
Employee
Employee
‎2020-03-05 09:31 AM
In response to G_W_Albrecht
Jump to solution

Please check under GuiDBedit "icmperrors", by default it should be allowed "true" looks like in your case the policy not allowing it, if it false change it to true and recheck.

RCCO
Participant
‎2020-03-06 02:13 AM
In response to Ilya_Yusupov
Jump to solution

Hi

I made this change, but I am still getting the same error.  I made the change on the management server - is this correct or did it need to get made on the firewalls themselves?

Yesterday I have also added an exception to the inspection settings for traffic between the 2 RADIUS servers in case this was the problem. It seemed to make it a little bit better but I still see the error and still have problems.

 

Thanks

Ilya_Yusupov
Employee
Employee
‎2020-03-08 12:31 AM
In response to RCCO
Jump to solution

it should be done via guidbedit and then push policy, see attached icmperrors.JPG

 

if you did it and still have an issue i suggest to open TAC case.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events