Seeking Comcast Contact: need to troubleshoot packet loss and/or asymmetric routing issue between Comcast & Onvoy

Jim Shankland nanog at
Fri Aug 3 00:38:51 UTC 2007

Robert Boyle wrote:
> Either your firewall/router or the customer's firewall/router is 
> blocking PMTUD packets.....  I suspect an overzealous firewall admin
 > is blocking all icmp.

Which you can't do anything about if the overzealous firewall admin
is at the other end of the connection.  My repeated, first-hand
experience has been that several of the better-known web sites out
there will happily send out 1500-byte packets with DF set, then
ignore the DEST_UNREACH/FRAG_NEEDED icmp responses they get.  If you're
on the client end of this, you're sunk unless you initiate the
connection specifying a lower MSS.

Linux has a nifty iptables option (clamp-mss-to-pmtu) to rewrite the
MSS in TCP SYN packets when forwarding a packet onto a link with
a lower MTU than the MSS in the packet.  Works like a charm.  If every
packet forwarding device on the Internet did this, PMTUD would not be
needed.  As is, PMTUD is simply broken, due to widespread firewall
misconfiguration.  As in so many other cases of Internet misbehavior,
you can avoid being part of the problem, but you can't be the solution.

Jim Shankland

More information about the NANOG mailing list