North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: PMTU and Broken Servers

  • From: Joe St Sauver
  • Date: Thu May 08 10:54:06 2003

Hi Leo,

#The tunnel between the tunnelboxes is a lower (1480) MTU.  Originally
#the user couldn't access some servers, turns out the firewall was
#filtering ICMP Can't Fragment messages, preventing PMTU from working
#in the server->user direction (tunnelbox1 would generate Can't
#Fragement, firewall would filter).

This is actually a more broadly present problem than you might think.
I talked about this in the context of a jumbo frames presentation 
("Practical Issues Associated with 9K MTUs") I did for the February 
NLANR/I2 Joint Techs in Miami; see: (PDF and PowerPoint versions provided)

#I find it slightly
#(emphasis on the slightly) that someone would turn on PMTU discovery,
#and then filter it out right in front of the boxes where they turned
#it on.  

Different folks are probably driving the server network configuration and
the firewall/border router configuration process. Disconnect is not 
inconceivable in that scenario by any means. 

#This is a new problem to me, but I'm sure people have run into it
#before.  Are the servers really that broken (PMTU enabled, ICMP
#Can't Fragement filtered)?  

Yes, it is a huge issue potentially. 


Joe St Sauver ([email protected])
Univeristy of Oregon Computing Center