MTU path discovery and IPSec

Jason_Graun · December 3, 2003, 4:05pm

Two questions:

1) I assume MTU path discovery has to been in enabled on each router in the path in order for it work correctly?!

2) Anybody use this to solve application issues over an IPSec tunnel to due to large of a frame?

any help would be great

Thanks

Valdis_Kletnieks · December 3, 2003, 4:39pm

Actually, no. All that's required is that:

a) The router handle the case of a too-large packet with the DF bit set by
sending back an ICMP 'Dest Unreachable - Frag Needed' packet. I've never
actually encountered a router that didn't get this part right. (Has anybody ever
seen a router botch this, *other* than a config error covered in (b) below?)

b) said ICMP makes it back to the originating machine. This is where all the
operational breakage I've ever seen on PMTU Discovery comes from. And in almost
all cases, one of two things is at fault. Either some bonehead firewall admin
is "blocking all ICMP for security" (fixable by reconfiguring the firewall to
let ICMP Frag Needed error messages through), or some bonehead network provider
numbered their point-to-points from 1918 space and the ICMP gets ingress/egress
filtered (this one is usually not fixable except with a baseball bat).

Owen_DeLong · December 3, 2003, 11:32pm

1) I assume MTU path discovery has to been in enabled on each router in
the path in order for it work correctly?!

Actually, no. All that's required is that:

a) The router handle the case of a too-large packet with the DF bit set by
sending back an ICMP 'Dest Unreachable - Frag Needed' packet. I've never
actually encountered a router that didn't get this part right. (Has
anybody ever seen a router botch this, *other* than a config error
covered in (b) below?)

When you consider that most firewalls are technically routers (albeit
somewhat pathological routers), yes... Many firewalls fail to send back
the ICMP and silently drop the DF packet.

b) said ICMP makes it back to the originating machine. This is where all
the operational breakage I've ever seen on PMTU Discovery comes from. And
in almost all cases, one of two things is at fault. Either some bonehead
firewall admin is "blocking all ICMP for security" (fixable by
reconfiguring the firewall to let ICMP Frag Needed error messages
through), or some bonehead network provider numbered their
point-to-points from 1918 space and the ICMP gets ingress/egress filtered
(this one is usually not fixable except with a baseball bat).

Yep... Those are definitely the most common PMTU-D problems.

Owen