Hi, Thanks for your input guys. I've since resolved the issue by altering the PIX. I've found that it's not possible to increase the size of the allowed ICMP packets but I can alter the way the PIX handles large ICMP packets.
This is a function of the IDS element of the PIX which will look at the data and compare the signatures of the traffic to its known list. An IDS policy exists to stop the 'Ping Of Death' attack on the firewall. When I disabled this signature, my large ICMP packets were allowed through and thus my GPO's worked! However, there is a security implication of disabling this IDS signatures so please check with your Network/Firewall consultants before making these changes. What I plan to do is disable the IDS signature on the PIX and then up-date all my PC's with a GPO that alters the registry so not to send these oversize pings. To make the change on the Pix I used the PDM: Log on and go to Configuration | System Properties. Expand Intrusion Detection then select IDS Signatures. Disable '2150 - A fragmented ICMP' and '2151 - Large ICMP' Apply then save. Thanks again, Adam -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: 24 June 2005 16:45 To: [email protected] Subject: RE: [ActiveDir] Increase ICMP packet size on a PIX - GPO related This is one of those chicken and egg problems. When ICMP slow link detection fails (i.e. no response is received to the ping request), no GP processing occurs at all, so you can't disable slow detection through GP. So you can't deliver the reg changes to disable slow link detection through GP. Fun. One novel approach I've seen is to make the change on the local GPO and then copy the relevant registry.pol files from the local GPO to all machines in the environment. Not elegant, but it gets the job done. I've seen it documented that slow link detection uses max. packet sizes of 2048 bytes. However, in looking at the code around slow link detection, I found nothing in there that limited it to that, so I kinda wonder. In sniffer traces that I've done, however, I've not seen it above that, and often see smaller sizes. You say below that you are allowing 2K packets--is it exactly 2000 bytes or is it 2048? Frankly, rather than having to lose the benefits of slow link detection by disabling it completely, I would definitely take the approach of opening up the firewall a bit to allow it to happen naturally. Unfortunately, my Cisco skills have evaporated over the years so I am no help in directing you to actually make the change. A quick look at a Cisco Pix config. guide didn't show it where I would have expected it, either in the access list commands or in the icmp command. Darren -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, June 24, 2005 8:23 AM To: [email protected] Subject: RE: [ActiveDir] Increase ICMP packet size on a PIX - GPO related I initially started looking at this from one viewpoint, and then I began to think about slow link detection. You've taken traces to determine the size... What is the return message from ICMP when this large packet is detected by the PIX? Or, does the PIX just discard it? If the PIX is discarding it, I suspect it might be possible that the link is being interpreted as very slow. What if you disable slow link detection at the GPOs? Rick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayer Sent: Friday, June 24, 2005 5:35 AM To: [email protected] Subject: [ActiveDir] Increase ICMP packet size on a PIX - GPO related Hi, I have a problem with remote sites in active directory not applying group policies. I've discovered that when the PC starts or logs on it will send an oversize ICMP packet to the DC to establish that the connection is available and good. As my sites are connected through a VPN via a PIX I've discovered that the ICMP gets blocked by the PIX. App., by default, the PIX does not allow ICMP packets greater the 2k and the packet from the PC to the DC is bigger than this, therefore the PC doesn't get a reply so assumes that the connection is not that great, thus the USERENV does not download and apply the GPO's. I've found that there are two work-arounds to this problem; One is to modify the registry on every PC to not bother sending the packet and just download GPO's anyway by adding these keys: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] "GroupPolicyMinTransferRate"=dword:00000000 Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System] "GroupPolicyMinTransferRate"=dword:00000000 ..and the other is to increase the allowed size of the ICMP packet on the PIX from 2k to something higher like 3k. I can't really justify changing 1000's of PCs registry settings when I believe there is a quicker solution by modifying the PIX. So the question is (finally!), does anyone know how to increase the ICMP packet size on the PIX? TIA Adam List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
