On Sunday 01 Sep 2013 12:17:28 Grant wrote: > > Communications between IPv4 end points use PMTUD by setting a Don't > > Fragment (DF) bit in the headers of the outgoing packet. If a > > router/server along the path has a smaller MTU, it will drop that packet > > and respond with an ICMP 'Destination Unreachable -- Fragmentation > > Needed' packet including its smaller MTU value. Upon receiving this > > smaller packet value the initiating host will dynamically reduce the > > size of the outgoing packets, until the packet arrives at its intended > > destination. PMTUD should always be switched on in any well behaving > > network implementation, but here's the rub: some network nodes, > > firewalls, servers are configured to never respond with *any* ICMP > > packets (because they think that this is a way to avoid DDoS problems > > and the like). Therefore, the initiating host keeps sending large > > packets never knowing that they are dropped on the way. This network > > problem is known as a PMTUD blackhole and is explained better here: > > Could ICMP packets not getting through be to blame for my proxy server > problem? My laptop can't seem to ping anyone (blocked at the firewall > in this hotel I suppose) and certainly the proxy server can't ping my > laptop.
Not all ICMP packets are relevant to detecting the MTU of a node. A correctly implemented node will return an ICMP Fragmentation Needed (Type 3, Code 4) packet, with its MTU value. This kind of ICMP packets should not be blocked at firewalls. Use ping with the do not fragment option to see if packets above a certain size time out, i.e. they are dropped by some offending node on the way. ping -c 6 -n -M do -s 1472 <server_address> This will send 6 packets to your server's address having set the do not fragment bit. The packet payload size is set at 1472 to allow for 28 bytes that are taken up by the IP and ICMP header data. So the total packet size would be 1472+28=1500, the usual ethernet packet size. If the MTU of the server is less than 1500 bytes, you will get a response containing "Frag needed and DF set", otherwise you will get pong responses, like e.g. 1480 bytes from XXX.XX.XXX.XXX: icmp_seq=1 ttl=121 time=66.5 ms If there is a black hole in the circuit you will be getting timeouts. Start reducing the size of the packet if you are getting time outs, say by 10 bytes at a time. When you arrive at or below the corresponding size of the MTU of a blackhole you will start getting responses. Of course, if the hotel's firewall is blocking all outgoing/incoming pings this sort of diagnostic test will not be useful. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
