Support Center > Search Results > SecureKnowledge Details
Explanation of "dropped by fwchain_frag Reason: wait for more fragments" Technical Level
Symptoms
  • Kernel debug (fw ctl debug -m fw + drop) shows that traffic is dropped:
    fw_log_drop: Packet proto= ... dropped by fwchain_frag Reason: wait for more fragments
Cause

The fragments are handled as follows:

  1. Frame is received by the Firewall.

  2. The Firewall recognizes that the "More Fragments" flag is set.

  3. The Firewall records the fragment into the "frag_table" kernel table (this table has a limit of "100" entries and a timeout of "1" second, by default).

  4. Once the fragment is recorded in the "frag_table" kernel table, this frame is dropped with a debug print.

    • First frame of fragmented connection will generate a print that contains the Proto / IP address / Ports:

      fw_log_drop: Packet proto=17 1.1.1.1:161 -> 2.2.2.2:32825 dropped by fwchain_frag Reason: wait for more fragments;
    • Subsequent fragment frames will generate a generic drop that does not contain Proto / IP address / Ports:

      fw_log_drop: Packet proto=-1 ?:0 -> ?:0 dropped by fwchain_frag Reason: wait for more fragments;


  5. Once the Firewall receives the final fragment, the packet is virtually reassembled in the kernel and processed through the rulebase.
    The entry is deleted from the "frag_table" kernel table.

  6. Once accepted by the firewall the original fragments are forwarded through the egress interface of the firewall. The firewall does not forward the virtually reassembled packet. 

     

    Note: When the Firewall egresses the original fragments, it might need to fragment once more based on the outbound interface's MTU. For example if the largest fragment received is 1400 bytes, but the egress interface has an MTU of 1300 then further fragmentation will need to take place on egress.  

Solution
Note: To view this solution you need to Sign In .