Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2258
Views
0
Helpful
1
Replies

Allowing ICMP: Fixing MTU path-discovery.....

abatson
Level 1
Level 1

‎06-25-2003 06:23 AM - edited ‎03-02-2019 08:24 AM

Just read an article on what disallowing ICMP does to MTU path-discovery (breaks it) It causes poor web performance, and some WWW servers might be totally unavailable if the client or server can't learn the proper MTU for each other.

The debug on my Internet router shows messages like this popping up about 2-3 a second:

ICMP: dst (198.186.46.80) administratively prohibited unreachable sent to 200.203.120.200

ICMP: dst (198.186.34.185) administratively prohibited unreachable sent to 61.156.8.35

ICMP: dst (198.186.37.19) administratively prohibited unreachable sent to 220.145.84.66

ICMP: dst (198.186.43.180) administratively prohibited unreachable sent to 66.28.34.133

ICMP: dst (198.186.37.248) administratively prohibited unreachable sent to 200.32.106.79

ICMP: dst (198.186.41.248) administratively prohibited unreachable sent to 220.145.84.66

ICMP: dst (198.186.40.64) administratively prohibited unreachable sent to 221.12.67.57

_____________________________________________

Question: How to tell my 2611XM router above, to allow these ICMP messages through, and what ICMP Protocol type can I let thru my CheckPoint firewall, in order to make Path-Discovery work properly? --and not have mgmt. laugh at me when I tell them I want to 'open up ICMP'...

--Alex

Labels:
0 Helpful
1 Reply 1

jezerski
Level 1
Level 1

‎06-25-2003 09:57 AM

You might be confusing MTU with MSS (Max. Segment Size). Remember MTU is really a layer 2 concept. MSS is negotiated at a higher level within the 3-way TCP handshake. For example, this is how web servers let clients know what their MSS is and to adjust accordingly. A Path MTU problem is mostly something that happens between routers in the path, and becomes more prevalent when using added encapsulation like GRE and/or IPSEC. You can allow PMTU on your router by allowing ICMP type3 code 4 messages.

Example using an ACL:

access-list 101 permit icmp any any 3 4

Note that when you look at the running-config, IOS resolves the ICMP type and code to look like this:

permit icmp any any packet-too-big

There are some things to think about because there are known Denial of Service attacks using Path MTU. Here is one URL that discusses this type of attack:

http://www.securiteam.com/securitynews/5AP0D2A35U.html

HTH

-Joe

0 Helpful
Customers Also Viewed These Support Documents