Drop Code: 435(Packet received in IPv6 and large than MTU(#1)), Module Id: 20(IPsec)

Description

Drop Code: 435(Packet received in IPv6 and large than MTU(#1)), Module Id: 20(IPsec)

Cause

Per RFC2460, routers will not perform fragmentation for transit ipv6 traffic. Fragmentation is performed only by the source node once the fragmentation boundary condition is learned via ICMPv6 Packet Too Big Messages. So an IOS router acting as an IPsec end point will not perform fragmentation for traffic going into the tunnel, therefore the IPsec pre-fragmentation feature simply does not apply for IPv6. 


Also for PMTUD need to allow icmp packets type 2, since by default we deny icmp packets on WAN interfaces it will not be performed to avoid fragmentation.

Resolution

Fragmentation should be performed below the SonicWall, on customer switches. Suggest customer to set a MTU size of 1280 bytes (minimum MTU size for IPv6) on the switches below the SonicWall.

Related Articles

  • SonicOS 8.1.0 FAQ
    Read More
  • SonicWall GEN8 TZs and GEN8 NSas Settings Migration
    Read More
  • Getting started with SonicWall firewalls
    Read More

Categories

Firewalls
SonicWall NSA Series
VPN
Firewalls
SonicWall SuperMassive 9000 Series
VPN
Firewalls
SonicWall SuperMassive E10000 Series
VPN
Firewalls
TZ Series
VPN
not finding your answers?
Ask the Community