09-29-2004 12:55 PM - edited 02-20-2020 11:39 PM
Hi all, I have this situation:
PC - PIX 506 - Router - WAN - Router - AS400
this is my problem:
I ping by my PC the remote AS/400 by this command:
PING AS/400 -l 1472
I obtain correct response.
PING as/400 -l 1500
I obtain time out.
MTU size is default set to 1500 on pix.
It seams my PIX 506 doesn't fragment packet.
How to solve this???
Tks for any answer.
rrgg
09-29-2004 03:24 PM
OK, so you have a PIX, a router, an entire WAN, and another router in between your PC and the AS400, yet you decide that the PIX is the cause of the problem. What has led you to that? And if you're pinging with packet size of 1500, why would the PIX need to fragment if the PIX MTU is set to 1500?
The cause of the problem is most likely that you're blocking Path MTU Discovery from working properly, by not allowing the ICMP packets back in through the PIX.
You'll probably find one of the paths in the WAN has a lower MTU, and so that router sends back an ICMP Unreachable back to your host. Your host should then fragment the packet down itself so that all fragments can make it to the AS400. The PIX however, will be blocking this ICMP Unreachable from getting back to your PC unless you have explicitly permitted it.
Add the following to your PIX:
access-list inbound permit icmp any any unreachable
access-list inbound permit icmp any any time-exceeded
access-list inbound permit icmp any any echo-reply
access-group inbound in interface outside
and see how that goes.
Read up on http://www.cisco.com/warp/public/105/38.shtml#pmtud_fail for some further information.
09-29-2004 11:37 PM
Excuse me, explaination: I decide that PIX is cause of the problem because without PIX (I set on one PC the same IP address of the PIX) the PING work correctly. I need to adjust this because AS/400 has MTU size set to 1496 and is not possible change it.
In access list I alredy have:
access-list inbound permit icmp any any echo-reply
TKS.
09-30-2004 12:05 AM
Another info:
By console I set my PIX in debug mode:
debug icmp trace
when I send ping with size = or < 1472 I see on console various information about icmp traffic
when I send ping with size > 1472 I see nothing.
Re-TKS
09-30-2004 03:38 PM
Only allowing "echo-reply" will still break Path MTU Discovery. Allow "unreachable" in and see how you go. Allowing "time-exceeded" will allow traceroutes to work properly also.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide