Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2809
Views
0
Helpful
2
Replies

Path MTU Discovery problems with FTDv on ENCS

Go to solution
AJ Cruz
Level 3
Level 3

‎11-10-2021 06:40 AM - edited ‎11-22-2021 09:56 AM

I am moving a PPPOE-based internet connection from an FTDv running on ESXi to an FTDv running on an ENCS5412.

I have both the inside and outside interface of the FTDv connected via SRIOV ports on the ENCS. The FTDv virtual ports have MTU set to 1492.

 

On the old connection (FTDv on ESXi), Path MTU Discovery works. I can't ping out to the internet with a full 1500-byte packet with the DF bit set, but I have no connectivity issues (standard web browsing) because PMTUD works and lowers my PC's transmission units to stay under what the pppoe connection supports.

 

When I cut over to the new connection (FTDv on ENCS) there are many websites that don't work. Looking at the ASP drops on the FTDv I see it dropping packets with errors stating fragmentation required but df-bit set.

To confirm the issue I hard-coded my PC MTU to 1450 and I have no problem browsing websites. As soon as I set it to 1500 I have problems. It sounds to me like PMTUD is broken when traffic flows through the new connection.

 

I don't know if this is due to the FTDv, or the ENCS. I see the physical ports of the ENCS have an MTU of 9216, but I don't see any way to change that. Any thoughts?

Thanks!

 

Update on some troubleshooting I did:

On the new connection I did a packet capture on my PC. I can see packets leaving my PC @ 1514 bytes. I see ICMP Destination unreachable (Fragmentation needed) packets from the firewall.

As soon as I move the connection to the old firewall, no change to the PC, I run a capture and never see a single ICMP Dest Unreachable and the max size I ever see leave the PC is 1434 bytes.

I don't get what's happening

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
AJ Cruz
Level 3
Level 3

‎11-22-2021 09:55 AM

UPDATE

This appears to have nothing to do with ENCS. I used the same FTDv image directly in my ESXi environment so that the only difference was the VM/version of FTDv and I get the same behavior. Closing this and re-posting in the firepower community.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
AJ Cruz
Level 3
Level 3

‎11-22-2021 09:55 AM

UPDATE

This appears to have nothing to do with ENCS. I used the same FTDv image directly in my ESXi environment so that the only difference was the VM/version of FTDv and I get the same behavior. Closing this and re-posting in the firepower community.

0 Helpful

Go to solution
Ann69
Level 1
Level 1
In response to AJ Cruz

‎05-02-2022 10:46 PM

@AJ Cruz wrote:

UPDATE

This appears to have nothing to do with ENCS. I used the same FTDv image directly in my ESXi environment so that the only difference was the VM/version of FTDv and I get the same behavior. Closing this and re-posting in the firepower community.

Thank you for sharing the solution, I was looking for the same.

0 Helpful
Customers Also Viewed These Support Documents