Knowledge Search


×
 

[SRX] How Post and Pre fragment packets are recognized in the IPsec decrypting node

  [KB34918] Show Article Properties


Summary:

This article explains that how Post and Pre fragment packets are recognized in the IPsec decrypting node.

The technical documentation for the show security flow statistics command provides a description for 'Post fragments generated' and 'Pre fragments generated'.

Solution:

When the conditions match, we will see counter up for Post fragments or Pre fragments not only in the encrypting node, but also in the decrypting node.

For an explanation on the difference between "Post fragments" and "Pre fragments" packets received by decrypting node, refer to KB34784 - 'Post fragments generated' counter increasing

Ubuntu---SRX1--IPsec Tunnel---(ge-0/0/1)SRX2---PC
(Process packets capture in ge-0/0/1 of SRX2)

When Post fragments counter up in SRX2:

Post fragments generated: 4
ESP packets outer IP header
..1. .... = More fragments: Set  <-- For post fragment, MF bit is 'Set'

When Pre fragments counter up in SRX2:

Pre fragments generated: 4
ESP packets outer IP header
.0.. .... = Don't fragment: Not set <-- For pre fragment, it will check the decrypted packet inner IP header MF bit

Related Links: