Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Packets: icmp unreachable need to frag (mtu 1416)

Hi guys

We have recently been dealing with a situation where we get the above packets and access to one of our applications just hangs.

To tell you a bit about our network, hub and spoke topology, with IPSEC GRE tunnels over MPLS, and the application stored at the hub site.

Now on the link into the hub site we have a firewall that filters the data coming in from remote sites. On the outside interface of the firewall (which is connected to the hub router) I capture a lot of 'icmp unreachable need to frag (mtu 1416)' packets from the router interface when the app attempts to reply to the client request.

Basically the application is not accessiblefrom any remote sites.

I have checked the mtu size on the firewall interface and 1500, on the router is not changed so I'm presuming it'll be the default one so am not quite sure where to look or what the problem might be.

Any help or direction is much appreciated.

And here's a sample of the packet capture:

101: 10:18:50 0x0800 70: 192.168.60.254 > 192.168.240.11: icmp: 192.168.67.10 unreachable - need to frag (mtu 1416) (ttl 255, id 23798)

Where is 192.168.60.254 is the router interface, 192.168.240.11 is the application and 192.168.67.10 is the client.

Many thanks

Elena

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

Packets: icmp unreachable need to frag (mtu 1416)

Hi,

try to set "ip tcp adjust-mss 1360" on router interface looking to the LAN side.

This need to be done on both sides.

Regards,

Audrius

4 REPLIES
Community Member

Packets: icmp unreachable need to frag (mtu 1416)

Hi.

I think, Your application, sometimes try to send the large IP packet with set flag "do not fragment" or using IPv6 packets. And your router, can not fragment this packages.

You can try set MTU on Your application server equal 1416 byte or lower.

------------------------------------------------------
Helping seriously ill children, all together. All information about this, is posted on my blog

------------------------------------------------------ Helping seriously ill children, all together. All information about this, is posted on my blog

Packets: icmp unreachable need to frag (mtu 1416)

Hi Elena,

it seems spoofing to me..... i would not decrease the MTU before counting exactly which is the max lenght of your packets overhead and maybe a MTU discovery could help. Remember anyway to adjust the mss too by the way, why are you using IPSec/GRE over MPLS?

Take Care

Alessio

Community Member

Packets: icmp unreachable need to frag (mtu 1416)

Hi,

try to set "ip tcp adjust-mss 1360" on router interface looking to the LAN side.

This need to be done on both sides.

Regards,

Audrius

Community Member

Packets: icmp unreachable need to frag (mtu 1416)

Hello guys

Thank you all for your suggestions, I got it working in the end by changing the mss size to 1360.

Something to keep in mind for the future.

Thanks

Elena

5674
Views
0
Helpful
4
Replies
CreatePlease to create content