Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Allowing ICMP: Fixing MTU path-discovery.....

Just read an article on what disallowing ICMP does to MTU path-discovery (breaks it) It causes poor web performance, and some WWW servers might be totally unavailable if the client or server can't learn the proper MTU for each other.

The debug on my Internet router shows messages like this popping up about 2-3 a second:

ICMP: dst (198.186.46.80) administratively prohibited unreachable sent to 200.203.120.200

ICMP: dst (198.186.34.185) administratively prohibited unreachable sent to 61.156.8.35

ICMP: dst (198.186.37.19) administratively prohibited unreachable sent to 220.145.84.66

ICMP: dst (198.186.43.180) administratively prohibited unreachable sent to 66.28.34.133

ICMP: dst (198.186.37.248) administratively prohibited unreachable sent to 200.32.106.79

ICMP: dst (198.186.41.248) administratively prohibited unreachable sent to 220.145.84.66

ICMP: dst (198.186.40.64) administratively prohibited unreachable sent to 221.12.67.57

_____________________________________________

Question: How to tell my 2611XM router above, to allow these ICMP messages through, and what ICMP Protocol type can I let thru my CheckPoint firewall, in order to make Path-Discovery work properly? --and not have mgmt. laugh at me when I tell them I want to 'open up ICMP'...

--Alex

1 REPLY
New Member

Re: Allowing ICMP: Fixing MTU path-discovery.....

You might be confusing MTU with MSS (Max. Segment Size). Remember MTU is really a layer 2 concept. MSS is negotiated at a higher level within the 3-way TCP handshake. For example, this is how web servers let clients know what their MSS is and to adjust accordingly. A Path MTU problem is mostly something that happens between routers in the path, and becomes more prevalent when using added encapsulation like GRE and/or IPSEC. You can allow PMTU on your router by allowing ICMP type3 code 4 messages.

Example using an ACL:

access-list 101 permit icmp any any 3 4

Note that when you look at the running-config, IOS resolves the ICMP type and code to look like this:

permit icmp any any packet-too-big

There are some things to think about because there are known Denial of Service attacks using Path MTU. Here is one URL that discusses this type of attack:

http://www.securiteam.com/securitynews/5AP0D2A35U.html

HTH

-Joe

731
Views
0
Helpful
1
Replies
CreatePlease to create content