We have recently been dealing with a situation where we get the above packets and access to one of our applications just hangs.
To tell you a bit about our network, hub and spoke topology, with IPSEC GRE tunnels over MPLS, and the application stored at the hub site.
Now on the link into the hub site we have a firewall that filters the data coming in from remote sites. On the outside interface of the firewall (which is connected to the hub router) I capture a lot of 'icmp unreachable need to frag (mtu 1416)' packets from the router interface when the app attempts to reply to the client request.
Basically the application is not accessiblefrom any remote sites.
I have checked the mtu size on the firewall interface and 1500, on the router is not changed so I'm presuming it'll be the default one so am not quite sure where to look or what the problem might be.
Any help or direction is much appreciated.
And here's a sample of the packet capture:
101: 10:18:50 0x0800 70: 192.168.60.254 > 192.168.240.11: icmp: 192.168.67.10 unreachable - need to frag (mtu 1416) (ttl 255, id 23798)
Where is 192.168.60.254 is the router interface, 192.168.240.11 is the application and 192.168.67.10 is the client.
it seems spoofing to me..... i would not decrease the MTU before counting exactly which is the max lenght of your packets overhead and maybe a MTU discovery could help. Remember anyway to adjust the mss too by the way, why are you using IPSec/GRE over MPLS?
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...