|
|
| Author |
Message |
Guest
|
 Posted: Wed Apr 19, 2006 9:18 am Post subject: PIX 506E (6.3) MTU trouble |
 |
|
Hi!
Okay. After banging my head on the keyboard for a couple of hours I'm
giving in  Does anybody know what the hell PIX is doing to ICMP
packets? I seem to be only able to get only 992B large ICMPs over the
PIX (992B ICMP = 1020B MTU). The network layout is pretty simple:
(C)-----(R)-----(P)----(Internet)
C = client
R = router (Cisco IOS 12.2)
P = PIX 506E
If I run tracepath/mturoute towards the router I get the MTU of 1500
which is okay and expected (regular Ethernet). If I tracepath across
the router to a VPN connected site (the traffic here does not pass the
PIX) I end up with an MTU of 1436 which is also ok.
But if I run tracepath to the IP of the insider interface of the PIX
the PIX will only respond to ICMP packets up to 992 bytes of size (MTU
1020). I get similar results from tracepathing hosts on the Internet
(even sites where I know the MTU should be 1492). It might be worth
noting that the router is in a pure routing function and is not doing
any packet filtering. The MTU of all interfaces is set to 1500.
The MTU for the inside and outside interface is set to 1500 on the PIX.
(Ethernet on both sides).
To make the matter weirder - I've tried the same tests on a similar PIX
layout (again client -> router -> PIX -> Internet) only to end up with
the exact same results.
So does anyone have a clue what exactly I'm doing wrong - or why PIX
decides that ICMP packets over 992 bytes in size aren't to be trusted
and neither
a) responds to them
b) passes them to the outside interface.
Thanks.
D. |
|
| Back to top |
|
 |
|
|
Walter Roberson
Guest
|
| Posted: Wed Apr 19, 2006 5:49 pm Post subject: Re: PIX 506E (6.3) MTU trouble |
|
|
In article <1145423913.135095.105540@u72g2000cwu.googlegroups.com>,
<damirc@gmail.com> wrote:
| Quote: | Okay. After banging my head on the keyboard for a couple of hours I'm
giving in Does anybody know what the hell PIX is doing to ICMP
packets? I seem to be only able to get only 992B large ICMPs over the
PIX (992B ICMP = 1020B MTU).
|
It drops them as a network protection feature.
| Quote: | So does anyone have a clue what exactly I'm doing wrong - or why PIX
decides that ICMP packets over 992 bytes in size aren't to be trusted
and neither
a) responds to them
b) passes them to the outside interface.
|
The standards indicate that one never replies to a failed or
blocked ICMP packet; this is required to prevent ICMP loops
(especially if the original packet was forged.)
As for what is being protected against: search for "Ping of Death". |
|
| Back to top |
|
|
dcy747
Guest
|
| Posted: Mon Apr 24, 2006 3:19 am Post subject: Re: PIX 506E (6.3) MTU trouble |
|
|
Thanks for your answer. I did assume something fishy (tm) was going on.
The problem being is that Active Directory fails to work properly over
this link, since Active Directory still uses UDP for certain types of
traffic - and it is causing me a headache  Unfortunately I am not
allowed to force the Domain Controllers to use TCP (which is possible)
(system policy is such and cannot be altered). Since I'm running a
L2TP-VPN between these 2 sites I would presume that I need to lower the
MTU on the outside IF by 40 bytes. Am I correct in this assumption? (if
I understand correctly, at the moment I'm having reliability problems
with all non-tcp traffic which is over 1460 bytes in size (single
packet size))
D. |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Private messages
Log in
