If a CSM receives a "Destination Unreachable - Fragmentation needed and DF set" ICMP message, does it pass the packet along, after changing the destination address, to the real server that sent the offending packet?
Thanks in advance.
in vip loadbalancing the answer is YES.
The CSM will inspect the icmp messages to identify the appropriate connection and the corresponding real server in order to forward the packet to the right destination.
In FWLB, the answer is NO.
regarding the NO in case of FWLB. IS this due to the setup as the CSM is only "routing" the traffic towards the FWs or are ICMP-Messages not inspected at all and only forwarded to the FWs?
fwlb = 'no nat server' and predictor whatever [not forward].
We believe that in FWLB, it does not matter that we send the icmp packet to the wrong firewall.
It should be possible to allow this type of icmp packet to go through the firewall.
Then, we think that with FWLB, there could be a lot of icmp packets, and inspecting all of them would have an impact on performance, se we don't do it.
I was able to sniff three segments simultaneously. Two of these segments were between the client and the CSM and the third was the server VLAN. I did see the same "fragmentation needed" packet in each segment, and the IP header of the packet in the server VLAN did have the destination address changed to that of the real server. However, the body of the fragmentation needed message included the source address of the virtual server. The real server, thinking that the message did not apply to itself, did not perform the necessary reduction of segment size.
Is there a way to make the CSM change the source address of an offending packet in the body of an "ICMP Unreachable - Fragmentation Needed" message?