Support Center > Search Results > SecureKnowledge Details
Connection is dropped with "Failed to generate IP packet from fragments" in VSX environment Technical Level
Symptoms
  • Fragments are dropped with "Failed to generate IP packet from fragments" and "Virtual fragmentation error: Timeout" in a VSX environment when traffic passes a virtual switch.
Cause

When getting the fragmented packets, a pkt_list is created and the system checks whether the first fragment can be jumped over the VSW (wrp_jump_junction). In case it can be, the if_index is updated to be the interface number of the VS (instead of the VSW).

However, this is done for the first fragment only, and not for all the other fragments, causing the fragments to be sent on different interfaces.

A simple zdebug will show that the first fragment (off = 0) is handled by the virtual system, but that the rest of the fragments are handled by the virtual switch.

[Expert]# fw ctl zdebug -buf 32000 -m fw + packet packval drop | grep frag

@;492;[vs_2];[tid_0];[fw4_0];frag_handle: <3.3.3.2,4.4.4.2,11> id = 8300 len = 1480, off = 0, last = 0 context = 0;
@;488;[vs_1];[tid_0];[fw4_0];frag_handle: <3.3.3.2,4.4.4.2,11> id = 8300 len = 1480, off = 1480, last = 0 context = 0;
@;488;[vs_1];[tid_0];[fw4_0];frag_handle: <3.3.3.2,4.4.4.2,11> id = 8300 len = 1480, off = 2960, last = 0 context = 0;
@;488;[vs_1];[tid_0];[fw4_0];frag_handle: <3.3.3.2,4.4.4.2,11> id = 8300 len = 60, off = 5920, last = 1 context = 0;
@;494;[vs_2];[tid_0];[fw4_0];fwfrag_expires: IP fragment expiration reached, freeing cookies;
@;494;[vs_2];[tid_0];[fw4_0];fw_log_drop_ex: Packet proto=17 3.3.3.2:5070 -> 4.4.4.2:5060 dropped by
fwfrag_expires Reason: timeout has expired for fragment;


Solution
Note: To view this solution you need to Sign In .