Support Center > Search Results > SecureKnowledge Details
Explanation of "dropped by fwchain_frag Reason: wait for more fragments"
Symptoms
  • Kernel debug (fw ctl debug -m fw + drop) shows that traffic is dropped:
    fw_log_drop: Packet proto= ... dropped by fwchain_frag Reason: wait for more fragments
Cause

The fragments are handled as follows:

  1. Frame is received by the Firewall.

  2. The Firewall recognizes that the "More Fragments" flag is set.

  3. The Firewall records the fragment into the "frag_table" kernel table (this table has a limit of "100" entries and a timeout of "1" second, by default).

  4. Once the fragment is recorded in the "frag_table" kernel table, this frame is dropped with a debug print.

    • First frame of fragmented connection will generate a print that contains the Proto / IP address / Ports:

      fw_log_drop: Packet proto=17 1.1.1.1:161 -> 2.2.2.2:32825 dropped by fwchain_frag Reason: wait for more fragments;
    • Subsequent fragment frames will generate a generic drop that does not contain Proto / IP address / Ports:

      fw_log_drop: Packet proto=-1 ?:0 -> ?:0 dropped by fwchain_frag Reason: wait for more fragments;


  5. Once the Firewall receives the final fragment, the packet is recreated in the kernel and processed.
    The entry is deleted from the "frag_table" kernel table.

  6. The Firewall processes the packet, and egresses the packet onto an interface.

     

    Note: When the Firewall egresses the packet, it might fragment the packet once more based on the outbound interface's MTU.

Solution
Note: To view this solution you need to Sign In .