Cisco Secure Access Fragmented ICMP Packet Handling

Available Languages

Download Options

  • PDF     (4.0 KB)
    View with Adobe Reader on a variety of devices
Updated:April 9, 2026
Document ID:226010

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Contents

Issue

ICMP echo requests larger than the MTU are not receiving replies when sent with the DF (Don't Fragment) bit disabled. This behavior occurs in two specific scenarios:

  • From RAVPN endpoints over the VPN interface when sending ICMP packets that exceed the VPN interface MTU size with the DF bit cleared
  • From on-premise endpoints over an IPsec tunnel between a site router and Cisco Secure Access (CSA) when sending ICMP packets that exceed the IPsec tunnel interface MTU size with the DF bit cleared

In both cases, no ICMP responses are received, leading to questions about whether CSA drops fragmented packets with the DF bit disabled.

Environment

  • Cisco Secure Access (CSA)
  • RAVPN (Remote Access VPN) endpoints
  • IPsec tunnels between site routers and CSA
  • ICMP traffic exceeding interface MTU sizes
  • Fragmented packet scenarios with DF bit cleared

Resolution

Cisco Secure Access drops fragmented packets in both underlay and overlay scenarios. This behavior is documented in the Cisco Secure Access Help documentation, which explicitly states: "Fragmented packets in the underlay or overlay are dropped."

Expected Behavior

Cisco Secure Access is designed to drop fragmented packets regardless of whether they occur in the underlay or overlay network. This applies to:

  • ICMP packets sent from RAVPN endpoints that exceed the VPN interface MTU with DF bit cleared

  • ICMP packets sent from on-premise endpoints over IPsec tunnels that exceed the tunnel interface MTU with DF bit cleared

This behavior is consistent across all scenarios involving fragmented packets within the Cisco Secure Access infrastructure.

Feature request CSE-I-5739 has been created for this.

Cause

Cisco Secure Access is architected to drop fragmented packets as a security and performance design decision. This behavior is implemented to prevent potential security vulnerabilities and processing overhead associated with packet reassembly in both underlay and overlay network scenarios.

Related Content

Revision History

Revision Publish Date Comments
1.0
04-Jun-2026
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • TAC

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products