Packet dropped as IP Sanity test failed
09/28/2022 59 People found this article helpful 456,616 Views
Description
According to the RFC 791 for IP protocol, Fragmentation and reassembly section, every internet module must be able to forward a datagram of 68 octets without further fragmentation. This is because an internet header may be up to 60 octets, and the minimum fragment is 8 octets. So if the packet size is less than 68 bytes SonicWall drops the packet as IP sanity check. For working with these kind of non-standard IP implementations we need to enable " Allow first fragment of size lesser than 68 bytes" in internal settings.
Resolution
NOTE: Testing is done on firmware version 5.8.1.13 So, the drops codes in this screen shot are referenced from the 5.8.1.13 firmware only.
Step 1: Do a Packet capture and export the packet capture in HTML and Libpcap format.
Step 2: Check out for the Drop code and Module ID 25 and 26 respectively(5.8.1.13)
Step 3: Export the Capture in the libpcap format and check for the size of the IP fragmented packet.
In the above attached image we can observe that the size of the packet is 24 bytes(<68 bytes) so the SonicWall is dropping the packet.
Resolution/Workaround:
Resolution for SonicOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
- Login to the SonicWall in the browser URL change the URL https://IP_Of_SonicWall/sonicui/7/m/mgmt/settings/main to https://IP_Of_SonicWall/sonicui/7/m/mgmt/settings/diag
- Click on Internal Settings
- Go to Network and Routing
- Enable Allow first fragment of size lesser than 68 bytes
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
- Login to the SonicWall in the browser URL change the URL https://IP_Of_SonicWall/main.html to https://IP_Of_SonicWall/diag.html
- Click on Internal Settings
- Go to Network and Routing
- Enable Allow first fragment of size lesser than 68 bytes
Related Articles
Categories
Was This Article Helpful?
YESNO