cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1619
Views
0
Helpful
3
Replies

pinging with large packets

mjhagen
Level 1
Level 1

If I ping the outside or through the outside interface of the PIX with a packet size greater that 1000 bytes the ping fails. All ot the interfaces MTU's are set to 1500. If I ping the inside interface it is fine.

3 Replies 3

smalkeric
Level 6
Level 6

If you have turned on IDS on the pix the packets can be dropped, claiming they are large packets.

layer9
Level 1
Level 1

The only way MTU would be an issue here is if the DF (don't fragment) bit is set on your outbound ICMP packets, AND if there is an MTU in the ping path that is less than 1028 bytes. There is about 28 bytes overhead on a standard ICMP ping packet, so if you set your packet to 1000, AND an MTU in your path is set to 1027, AND the DF Bit is set on your outbound ICMP packet, only then would you see this as an issue. Then since there are 28 bytes of overhead on the ICMP packet and you set your packet to 1000, the actual size of the packet hitting the interface with a 1027 MTU is actually 1028 bytes in size so the packet is dropped and an ICMP "packet to large but DF Flag set" message is returned to the sending station.

But I seriously doubt that is your issue. You would have to be setting the DF Flag on your packets and you would be getting an ICMP error code back.If the DF bit is not set on your ping packets, (Off by Default) then the packet would simply be fragmented and then reassembeld on the other side.

Fragmentation is the standard method of overcoming MTU bottlenecks and is employed by default by most NICS.Your packet therefore is probably not being dropped due to size, unless you do have the DF flag set (which you would do on purpose). You can do this also with route maps and policy based routing,(play with how the router handles fragmentation)but I can't see this scenario on your PIX.

I suspect you have an issue with ICMP being denied on the outside interface. Make sure ICMP is permitted to the outside interface, and through the PIX for testing purposes.

Chris

Most ICMP packets are going to max on 1472 or thereabouts. There is overhead on even your ICMP packets, so a 1500 MTU will yield an actual of 1472 packet sized. But you will get back an ICMP error message.

stalljh
Level 1
Level 1

OK, so through the outside interface from the inside, what is the next hop after your outside interface. Is that what you are pinging? If so, what is that interface MTU set for?

HTH

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: