Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
481
Views
0
Helpful
4
Replies

PIX PACKET SIZE PROBLEM.

sgozio
Level 1
Level 1

‎09-29-2004 12:55 PM - edited ‎02-20-2020 11:39 PM

Hi all, I have this situation:

PC - PIX 506 - Router - WAN - Router - AS400

this is my problem:

I ping by my PC the remote AS/400 by this command:

PING AS/400 -l 1472

I obtain correct response.

PING as/400 -l 1500

I obtain time out.

MTU size is default set to 1500 on pix.

It seams my PIX 506 doesn't fragment packet.

How to solve this???

Tks for any answer.

rrgg

0 Helpful
4 Replies 4

gfullage
Cisco Employee
Cisco Employee

‎09-29-2004 03:24 PM

OK, so you have a PIX, a router, an entire WAN, and another router in between your PC and the AS400, yet you decide that the PIX is the cause of the problem. What has led you to that? And if you're pinging with packet size of 1500, why would the PIX need to fragment if the PIX MTU is set to 1500?

The cause of the problem is most likely that you're blocking Path MTU Discovery from working properly, by not allowing the ICMP packets back in through the PIX.

You'll probably find one of the paths in the WAN has a lower MTU, and so that router sends back an ICMP Unreachable back to your host. Your host should then fragment the packet down itself so that all fragments can make it to the AS400. The PIX however, will be blocking this ICMP Unreachable from getting back to your PC unless you have explicitly permitted it.

Add the following to your PIX:

access-list inbound permit icmp any any unreachable

access-list inbound permit icmp any any time-exceeded

access-list inbound permit icmp any any echo-reply

access-group inbound in interface outside

and see how that goes.

Read up on http://www.cisco.com/warp/public/105/38.shtml#pmtud_fail for some further information.

0 Helpful

sgozio
Level 1
Level 1
In response to gfullage

‎09-29-2004 11:37 PM

Excuse me, explaination: I decide that PIX is cause of the problem because without PIX (I set on one PC the same IP address of the PIX) the PING work correctly. I need to adjust this because AS/400 has MTU size set to 1496 and is not possible change it.

In access list I alredy have:

access-list inbound permit icmp any any echo-reply

TKS.

0 Helpful

sgozio
Level 1
Level 1
In response to sgozio

‎09-30-2004 12:05 AM

Another info:

By console I set my PIX in debug mode:

debug icmp trace

when I send ping with size = or < 1472 I see on console various information about icmp traffic

when I send ping with size > 1472 I see nothing.

Re-TKS

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to sgozio

‎09-30-2004 03:38 PM

Only allowing "echo-reply" will still break Path MTU Discovery. Allow "unreachable" in and see how you go. Allowing "time-exceeded" will allow traceroutes to work properly also.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card