PMTU and Broken Servers

Hank Nussbacher hank at att.net.il
Tue May 13 05:38:12 UTC 2003


At 04:38 PM 12-05-03 -0400, Russell, David wrote:

Based on:
http://www.cisco.com/warp/public/707/GSR-unreachables-pub.shtml

"ip icmp rate-limit unreachable n
Where n is the number of milliseconds between two consecutive ICMP 
unreachable packets. The default value is 500. That means that one ICMP 
unreachable packet is send every 500 ms."

Also specified in:
"IP Fragmentation and PMTUD"
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml
which was last updated about 10 days ago and covers everything in this 
thread so far (other than JunOS :-))

-Hank



>  You should keep in mind that Cisco routers have a limit on the number of 
> ICMP messages they will originate per second.  (My mind fails me as to 
> whether it is 3 or 30).  So you might lose a few ICMPs because of this.
>
>David
>
>-----Original Message-----
>From: Stephen J. Wilcox
>To: Curtis Maurand
>Cc: Leo Bicknell; nanog at merit.edu
>Sent: 5/12/03 10:49 AM
>Subject: Re: PMTU and Broken Servers
>
>
>You mean theres routers which get a large packet and silently drop it
>rather
>than return an icmp?
>
>Curious as to know which vendors? (read fundementally broken!)
>
>Steve
>
>On Mon, 12 May 2003, Curtis Maurand wrote:
>
> >
> >
> > I've had the problem before.  Not all routers handle PMTU correctly.
> >
> > Curtis
> >
> > On Thu, 8 May 2003, Leo Bicknell wrote:
> >
> > >
> > > I've recently had the pleasure of troubleshooting a problem I don't
> > > normally have to deal with, and the results don't quite make sense
> > > to me.  I'm hoping someone can enlighten me as to what is going on.
> > > A diagram:
> > >
> > > server---internet---fw---tunnelbox1----tunnelbox2----user
> > >
> > > The tunnel between the tunnelboxes is a lower (1480) MTU.
>Originally
> > > the user couldn't access some servers, turns out the firewall was
> > > filtering ICMP Can't Fragment messages, preventing PMTU from working
> > > in the server->user direction (tunnelbox1 would generate Can't
> > > Fragement, firewall would filter).
> > >
> > > That's been corrected.  Going to a server I control I see good PMTU
> > > in both directions between the server and the user.  However, there
> > > are still a number of web servers for popular sites that behave
> > > just like the firewall was still filtering Can't Fragments.  The
> > > theory is that the servers are behind a firewall/load balancer that
> > > is filtering them on the server side -- but I find it slightly
> > > (emphasis on the slightly) that someone would turn on PMTU
>discovery,
> > > and then filter it out right in front of the boxes where they turned
> > > it on.  Also, it seems to me most DSL users are behind PPPoE links
> > > with lower MTU, and should get hit by the same problem.
> > >
> > > The temporary hack is to have tunnelbox1 clear the DF bit on all
> > > incoming packets, which just causes the packets to get fragmented
> > > going down the tunnel.  A minor performance hit, but it works.
> > >
> > > This is a new problem to me, but I'm sure people have run into it
> > > before.  Are the servers really that broken (PMTU enabled, ICMP
> > > Can't Fragement filtered)?  Does the head end box of DSL services
> > > generally do something to work around this (ie, clear the DF bit)?
> > > Am I just being an idiot and missing something obvious?
> > >
> > >
> >
> >
>Note:  The information contained in this message may be privileged and 
>confidential and protected from disclosure.  If the reader of this message 
>is not the intended recipient, or an employee or agent responsible for 
>delivering this message to the intended recipient, you are hereby notified 
>that any dissemination, distribution or copying of this communication is 
>strictly prohibited.  If you have received this communication in error, 
>please notify us immediately by replying to the message and deleting it 
>from your computer. Thank you.  ThruPoint, Inc.




More information about the NANOG mailing list