pinging with large packets

Unanswered Question
Mar 11th, 2005

If I ping the outside or through the outside interface of the PIX with a packet size greater that 1000 bytes the ping fails. All ot the interfaces MTU's are set to 1500. If I ping the inside interface it is fine.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
smalkeric Thu, 03/17/2005 - 12:23

If you have turned on IDS on the pix the packets can be dropped, claiming they are large packets.

layer9 Thu, 03/17/2005 - 13:05

The only way MTU would be an issue here is if the DF (don't fragment) bit is set on your outbound ICMP packets, AND if there is an MTU in the ping path that is less than 1028 bytes. There is about 28 bytes overhead on a standard ICMP ping packet, so if you set your packet to 1000, AND an MTU in your path is set to 1027, AND the DF Bit is set on your outbound ICMP packet, only then would you see this as an issue. Then since there are 28 bytes of overhead on the ICMP packet and you set your packet to 1000, the actual size of the packet hitting the interface with a 1027 MTU is actually 1028 bytes in size so the packet is dropped and an ICMP "packet to large but DF Flag set" message is returned to the sending station.

But I seriously doubt that is your issue. You would have to be setting the DF Flag on your packets and you would be getting an ICMP error code back.If the DF bit is not set on your ping packets, (Off by Default) then the packet would simply be fragmented and then reassembeld on the other side.

Fragmentation is the standard method of overcoming MTU bottlenecks and is employed by default by most NICS.Your packet therefore is probably not being dropped due to size, unless you do have the DF flag set (which you would do on purpose). You can do this also with route maps and policy based routing,(play with how the router handles fragmentation)but I can't see this scenario on your PIX.

I suspect you have an issue with ICMP being denied on the outside interface. Make sure ICMP is permitted to the outside interface, and through the PIX for testing purposes.

Chris

Most ICMP packets are going to max on 1472 or thereabouts. There is overhead on even your ICMP packets, so a 1500 MTU will yield an actual of 1472 packet sized. But you will get back an ICMP error message.

stalljh Thu, 03/17/2005 - 13:13

OK, so through the outside interface from the inside, what is the next hop after your outside interface. Is that what you are pinging? If so, what is that interface MTU set for?

HTH

Actions

Login or Register to take actions

This Discussion

Posted March 11, 2005 at 11:57 AM
Stats:
Replies:3 Avg. Rating:
Views:408 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard