On Sunday 01 Sep 2013 14:59:19 Grant wrote: > >> Could ICMP packets not getting through be to blame for my proxy server > >> problem? My laptop can't seem to ping anyone (blocked at the firewall > >> in this hotel I suppose) and certainly the proxy server can't ping my > >> laptop. > > > > Not all ICMP packets are relevant to detecting the MTU of a node. A > > correctly implemented node will return an ICMP Fragmentation Needed > > (Type 3, Code 4) packet, with its MTU value. This kind of ICMP packets > > should not be blocked at firewalls. Use ping with the do not fragment > > option to see if packets above a certain size time out, i.e. they are > > dropped by some offending node on the way. > > > > ping -c 6 -n -M do -s 1472 <server_address> > > I get "Frag needed and DF set (mtu = 1492)" when pinging google.com. > I get normal replies with -s 1464. ifconfig shows my WAN interface at > MTU 1500 so PMTUD must change the MTU for communication with > google.com if I understand correctly.
The hotel's router/modem may be using PPPoE to authenticate with their ISP, which has a larger header size and requires an MTU of 1492 (1464+28=1492) So, although your NIC is configured to the full ethernet MTU size, the router drops the size down to 1492 to be able to squeeze it out through the ISP's network. That's all good and proper and will not cause the timeout problem you have been experiencing. > > Of course, if the hotel's firewall is blocking all outgoing/incoming > > pings this sort of diagnostic test will not be useful. > > I actually only lose pings to my own remote system so I've started a > new thread about that. I tried down to -s 1 but still 100% packet > loss there. Have you checked that the firewall at your server is not set to drop all ICMP packets and that you don't have something like this set up on it: net.ipv4.icmp_echo_ignore_all = 0 (use sysctl to check) -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
