Tuesday, November 29, 2011

Problem with ICMP filtering and PMTU-D

Say the customer PC sends a 1500-byte packet, with DF set (which is the default for everything these days).  It’s fine on the switch, it’s fine on our router.  Somewhere between us and the server, it finds a link that only has an MTU of 1400.  The router attached to that link can’t fragment (DF is set), so it sends an ICMP error message back explaining that the packet is too big, and that the originating host must send smaller packets.  That ICMP packet is not part of the data flow, so the firewall will drop it unless configure to pass it.  If the PC never sees the error message, all it knows is that it never got a reply, so it keeps re-transmitting the 1500-byte packet until it eventually times out.

Now, to the problem with ICMP filtering and PMTU-D

In this case, if the ICMP can't fragment errors can not get back to the source host due to a filter, the host will never know that the packets it is sending are too large. This means it will keep trying to send the same large packet, and it will keep being dropped--silently dropped from the view of any system on the other side of the filter. While a small handful of systems that implement PMTU-D also implement a way to detect such situations, most don't and even for those that do it has a negative impact on performance and the network.
If this is happening, typical symptoms include the ability for small packets (eg. request a very small web page) to get through, but larger ones (eg. a large web page) will simply hang. This situation can be confusing to the novice administrator because they obviously have some connectivity to the host, but it just stops working for no obvious reason on certain transfers.
There is one solution, and several workarounds, for this problem. They include:

http://www.znep.com/~marcs/mtu/ 
Resolve IP Fragmentation, MTU, MSS, and PMTUD Issues with GRE and IPSEC

No comments:

Post a Comment