92 Byte ICMP Blocking Problem

William Devine, II william at smartguys.net
Fri Sep 12 18:39:47 UTC 2003 

I had the exact same problem.  As soon as I turned it on, within minutes I
had customers calling that could no longer FTP into Win2k servers and some
that couldn't SSH into their Linux servers.
I've since turned it off as well.
Are there any other known ways to block this?

william

----- Original Message ----- 
From: "Chris Adams" <cmadams at hiwaay.net>
To: "Steven M. Bellovin" <smb at research.att.com>
Cc: "Nanog" <nanog at nanog.org>
Sent: Friday, September 12, 2003 1:32 PM
Subject: Re: 92 Byte ICMP Blocking Problem


>
> Once upon a time, Steven M. Bellovin <smb at research.att.com> said:
> > In message <20030912175258.GB616832 at hiwaay.net>, Chris Adams writes:
> > >Yes.  As soon as we put the policy route map in place, we had some
> > >people unable to talk via SSH, SMTP, or POP3.  It was random: one
person
> > >here in the office couldn't SSH to a particular server.  He could SSH
to
> > >other servers, and the rest of us could SSH to the server he could not.
> > >We had similar experiences with SMTP and POP3.  When we took the policy
> > >route map back out, the problems went away.
> > >
> > >This is with IOS 12.0(25)S1 on a 7513 doing dCEF.  We put the policy
> > >route map on the FE interface linking this router to the POP core
> > >router; this router has MC-T3 interfaces and ethernets to Ascend TNTs
> > >and such.  The intent was to stop the 92 byte ICMP echos from reaching
> > >the Ascend TNTs, since several of them were rebooting constantly.
> >
> > I wonder if it's a Path MTU problem.  Can you turn off Path MTU on some
> > of the affected hosts and see if it solves the problem?
>
> I don't have it in place anymore (because it caused more problems than
> it fixed), so I can't test this.  In any case, the route map only
> matched 92 byte ICMP echo and ICMP echo-reply packets, which is not what
> PMTU uses, so it shouldn't have had a problem.  Also, I know that the
> MTU along the path for the person in the office is the same all the way,
> so PMTU shouldn't come into play there.
> -- 
> Chris Adams <cmadams at hiwaay.net>
> Systems and Network Administrator - HiWAAY Internet Services
> I don't speak for anybody but myself - that's enough trouble.
>

More information about the NANOG mailing list