Technical Support recommends that you investigate the reason why there are so many orphaned IP fragments occurring in the network that can't be reassembled successfully (for example, not all fragments of an IP packet arrive).
To investigate the source of the issue:
-
Obtain a capture from the network, and examine the attack and from where it originates. If it originates from inside the network, examine the equipment with the originating IP address for configuration and hardware issues. We recommend that you use
Wireshark to perform this capture.
-
Check the network topology for any setup issues that might prevent the Sensor from seeing all IP fragments of any particular session (for example, asymmetric routes and resilience paths).
-
Check the port setup and speed or duplex settings on all networking equipment for mismatches and faulty setup.
