×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Packets: icmp unreachable need to frag (mtu 1416)

Answered Question
Aug 13th, 2012
User Badges:

Hi guys


We have recently been dealing with a situation where we get the above packets and access to one of our applications just hangs.


To tell you a bit about our network, hub and spoke topology, with IPSEC GRE tunnels over MPLS, and the application stored at the hub site.

Now on the link into the hub site we have a firewall that filters the data coming in from remote sites. On the outside interface of the firewall (which is connected to the hub router) I capture a lot of 'icmp unreachable need to frag (mtu 1416)' packets from the router interface when the app attempts to reply to the client request.

Basically the application is not accessiblefrom any remote sites.


I have checked the mtu size on the firewall interface and 1500, on the router is not changed so I'm presuming it'll be the default one so am not quite sure where to look or what the problem might be.

Any help or direction is much appreciated.


And here's a sample of the packet capture:


101: 10:18:50 0x0800 70: 192.168.60.254 > 192.168.240.11: icmp: 192.168.67.10 unreachable - need to frag (mtu 1416) (ttl 255, id 23798)


Where is 192.168.60.254 is the router interface, 192.168.240.11 is the application and 192.168.67.10 is the client.


Many thanks

Elena









Correct Answer by Audrius Jonavicius about 5 years 4 days ago

Hi,


try to set "ip tcp adjust-mss 1360" on router interface looking to the LAN side.

This need to be done on both sides.


Regards,

Audrius

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Oleg Volkov Mon, 08/13/2012 - 10:07
User Badges:
  • Почетные Знаки Сообщества,

    Лучшая публикация, Май 2015

Hi.

I think, Your application, sometimes try to send the large IP packet with set flag "do not fragment" or using IPv6 packets. And your router, can not fragment this packages.

You can try set MTU on Your application server equal 1416 byte or lower.




------------------------------------------------------
Helping seriously ill children, all together. All information about this, is posted on my blog

Alessio Andreoli Mon, 08/13/2012 - 10:19
User Badges:
  • Silver, 250 points or more

Hi Elena,

it seems spoofing to me..... i would not decrease the MTU before counting exactly which is the max lenght of your packets overhead and maybe a MTU discovery could help. Remember anyway to adjust the mss too by the way, why are you using IPSec/GRE over MPLS?


Take Care

Alessio

Correct Answer
Audrius Jonavicius Mon, 08/13/2012 - 13:48
User Badges:

Hi,


try to set "ip tcp adjust-mss 1360" on router interface looking to the LAN side.

This need to be done on both sides.


Regards,

Audrius

london.ism Tue, 08/14/2012 - 02:36
User Badges:

Hello guys


Thank you all for your suggestions, I got it working in the end by changing the mss size to 1360.

Something to keep in mind for the future.


Thanks

Elena

Actions

This Discussion