Hi ,
I tried to trace the UDP flow stream to investigate the drops below is my observations:
+ I found that in the below stream the first fragment has not being received on the device due to which the succeeding fragments are are queued and after waiting for 3 sec (default timeout) the fragments are dropped which is the root cause of this issue. This would increament fragments aged out in "get session frag".
63052.0: ethernet0/2(i) len=1518:005056a2c0d0->0010dbff2060/8100/0800, tag 3
207.38.68.135 -> 216.218.227.10/17
vhl=45, tos=00, id=18645, frag=20b9, ttl=64 tlen=1500
frag offset=1480 more fragment=1
63052.0: ethernet0/2(i) len=1518:005056a2c0d0->0010dbff2060/8100/0800, tag 3
207.38.68.135 -> 216.218.227.10/17
vhl=45, tos=00, id=18645, frag=2172, ttl=64 tlen=1500
frag offset=2960 more fragment=1
63052.0: ethernet0/2(i) len=1518:005056a2c0d0->0010dbff2060/8100/0800, tag 3
207.38.68.135 -> 216.218.227.10/17
vhl=45, tos=00, id=18645, frag=222b, ttl=64 tlen=1500
frag offset=4440 more fragment=1
63052.0: ethernet0/2(i) len=1518:005056a2c0d0->0010dbff2060/8100/0800, tag 3
207.38.68.135 -> 216.218.227.10/17
vhl=45, tos=00, id=18645, frag=2000, ttl=64 tlen=1500
frag offset=0 more fragment=1
udp
orts 52661->5201, len=8200
+ I suspect that first fragment is getting dropped either on the upstream device to on the FW interface , to confirm the same
+ I suggested if we need the end machine is sending the segments with the size 7400 bytes which is causing the fragmentation over the network. To avoid this enable PMTU on end machine or tune the size of the segment at application layer.
+ In the meantime we can try to understand which device is dropping the traffic (first fragment)
Can you please provide me with the below mentioned logs during the time of the issue for more analysis :
+ Debug flow basic simultaneoulsy with snoop
+ get session frag
+ Get counter stat <5-10 time >
Regards,
Rishi