topic Re: PIX PACKET SIZE PROBLEM. in Network Security

PIX PACKET SIZE PROBLEM.

sgozio — Fri, 21 Feb 2020 07:39:25 GMT

Hi all, I have this situation:

PC - PIX 506 - Router - WAN - Router - AS400

this is my problem:

I ping by my PC the remote AS/400 by this command:

PING AS/400 -l 1472

I obtain correct response.

PING as/400 -l 1500

I obtain time out.

MTU size is default set to 1500 on pix.

It seams my PIX 506 doesn't fragment packet.

How to solve this???

Tks for any answer.

rrgg

Re: PIX PACKET SIZE PROBLEM.

gfullage — Wed, 29 Sep 2004 22:24:14 GMT

OK, so you have a PIX, a router, an entire WAN, and another router in between your PC and the AS400, yet you decide that the PIX is the cause of the problem. What has led you to that? And if you're pinging with packet size of 1500, why would the PIX need to fragment if the PIX MTU is set to 1500?

The cause of the problem is most likely that you're blocking Path MTU Discovery from working properly, by not allowing the ICMP packets back in through the PIX.

You'll probably find one of the paths in the WAN has a lower MTU, and so that router sends back an ICMP Unreachable back to your host. Your host should then fragment the packet down itself so that all fragments can make it to the AS400. The PIX however, will be blocking this ICMP Unreachable from getting back to your PC unless you have explicitly permitted it.

Add the following to your PIX:

access-list inbound permit icmp any any unreachable

access-list inbound permit icmp any any time-exceeded

access-list inbound permit icmp any any echo-reply

access-group inbound in interface outside

and see how that goes.

Read up on http://www.cisco.com/warp/public/105/38.shtml#pmtud_fail for some further information.

Re: PIX PACKET SIZE PROBLEM.

sgozio — Thu, 30 Sep 2004 06:37:50 GMT

Excuse me, explaination: I decide that PIX is cause of the problem because without PIX (I set on one PC the same IP address of the PIX) the PING work correctly. I need to adjust this because AS/400 has MTU size set to 1496 and is not possible change it.

In access list I alredy have:

access-list inbound permit icmp any any echo-reply

TKS.

Re: PIX PACKET SIZE PROBLEM.

sgozio — Thu, 30 Sep 2004 07:05:34 GMT

Another info:

By console I set my PIX in debug mode:

debug icmp trace

when I send ping with size = or < 1472 I see on console various information about icmp traffic

when I send ping with size > 1472 I see nothing.

Re-TKS

Re: PIX PACKET SIZE PROBLEM.

gfullage — Thu, 30 Sep 2004 22:38:03 GMT

Only allowing "echo-reply" will still break Path MTU Discovery. Allow "unreachable" in and see how you go. Allowing "time-exceeded" will allow traceroutes to work properly also.