Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

"First fragment too small" causes network disruption

    • Updated:
    • 11 Sep 2015
    • Product/Version:
    • Deep Security 8.0
    • Deep Security 9.0
    • Deep Security 9.5
    • Deep Security 9.6
    • Deep Security as a Service 2.0
    • Platform:
    • CentOS 5.4 32-bit
    • CentOS 5.4 64-bit
    • CentOS 5.5 32-bit
    • CentOS 5.5 64-bit
    • CentOS 5.6 32-bit
    • CentOS 5.6 64-bit
    • CentOS 5.7 32-bit
    • CentOS 5.7 64-bit
    • CentOS 5.8 32-bit
    • CentOS 5.8 64-bit
    • CentOS 6 32-bit
    • CentOS 6 64-bit
    • CentOS 6.1 32-bit
    • CentOS 6.1 64-bit
    • CentOS 6.2 32-bit
    • CentOS 6.2 64-bit
    • Linux - Red Hat RHEL 4 64-bit
    • Linux - Red Hat RHEL 5 64-bit
    • Linux - Red Hat RHEL 6 64-bit
    • Netware version 5.1
    • VMware ESX - 5.0
    • VMware ESX 5.0
    • VMware ESXi 5.0
    • Windows 2003 Enterprise
    • Windows 2003 Enterprise 64-bit
    • Windows 2003 Server R2
    • Windows 2003 Standard
    • Windows 2003 Standard 64-bit
    • Windows 2008 Enterprise
    • Windows 2008 Enterprise 64-bit
    • Windows 2008 Server R2
    • Windows 2008 Server R2 with Hyper-V(TM)
    • Windows 2008 Standard
    • Windows 2008 Standard 64-bit
    • Windows 7 32-bit
    • Windows 7 64-bit
    • Windows 8 32-bit
    • Windows 8 64-bit
    • Windows Vista 32-bit
    • Windows Vista 64-bit
    • Windows XP Professional
    • Windows XP Professional 64-bit
Summary
You cannot access the Internet when Deep Security Agent or Appliance and Web Reputation module is both activated on a machine.
This issue also occurs with unlicensed Firewall modules.
Details
Public
Deep Security needs to perform some level of normalization and stateful analysis on traffic that will process DPI rules. This ensures that the traffic is in normal state for the inspection. During this normalization, error may occur on Verifier module. To ensure that we log all the events for discarded packets and events aside from DPI, we log them in the FW events.
"First fragment too small" is a packet which is dropped when it has the following configuration:
  • MF flag = 1
  • Offset value = 0
  • Total length (maximum combined header length) = less than 120 bytes
For Deep Security 7.0 Service Pack 1, resolve this issue by applying hot fix 1658 and adjusting the value of Minimum Fragment size, which has a default value of 120.
For Deep Security 8.0 and 9.0, set the Minimum Fragment size to a lower value or "0" to turn off this inspection.
  1. Open the policy you want to modify.
    • For Deep Security 8.0, go to Security Profile and open the details of the policy.
    • For Deep Security 9.0, go to Policies tab and click Policies, then open the details.
  2. Click Settings.
  3. Select Network Engine tab and click Advanced Network Engine Settings section.
  4. Untick the Default settings.
  5. Look for Minimum Fragment size and adjust its value. You can initially set it to "60". If the problem persists, set the value to "0".
  6. Click Save.
  7. Resend the policy to the agent or appliance.
Premium
Internal
Rating:
Category:
Configure; Troubleshoot
Solution Id:
1098855
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.