10-06-2004 05:39 AM - edited 03-02-2019 07:01 PM
While poking around my network, I was debugging some ICMP on an MSFC we have. I noticed some interesting messages "ICMP: dst (x.x.x.x) frag. needed and DF set unreachable sent to y.y.y.y". I then found a good article on why this is http://www.cisco.com/warp/public/105/56.html"
We have a IPSEC / GRE tunnel so it is obvious that we are exceeding the MTU with tha additional packet header information.
Now for the question: Is it better to let the Unreachable needed DF bit message alter the MTU, or should we clear the DF bit with the policy routemap?
Are there performance advantages either way?
10-06-2004 05:57 AM
This is a somewhat complicated issue and I am not sure that there is a clear best answer. It will depend a lot on your individual situation.
There is some advantage in letting the ICMP go through and alter the MTU. The biggest advantage of this is that it puts the work of managing packet size on the end station. If the MTU does not get adjusted from the end station, then your routers will be doing extra work to fragment and reassemble data packets.
On the other hand, even if you let the ICMP go through there is no guarantee that someone else somewhere else will not deny them. So it may be preferable to deal with the issue in another way. Using policy routing is one of the options to consider. It has the advantage that you will have more control within your network. But there is still some risk that someone outside of your network may impact or deny your traffic.
A customer I work with has faced this issue. We also run IPSec with GRE tunnels and were having issues with fragmentation, especially for traffic to destinations outside of our network. We found a solution in the ip tcp adjust-mss command. It effectively over-rides the negotiation of packet size and will get the end stations to set a packet size that will fit through your tunnels. It has the advantage that it puts the work of managing the packet size on the end stations not on your routers. If your routers are running code recent enough to support this I would recommend that you look at this as a possible solution.
HTH
Rick
10-06-2004 06:45 AM
Can you apply the tcp-mss command to just the tunnel interfaces? That way the rest of the network can continue to use the regular MTU?
10-06-2004 07:33 AM
The documentation for ip tcp adjust-mss states that it is to be applied to physical interfaces not virtual interfaces like tunnels. That is the way I applied it (and in our case there are no packets going through the interface that are not going through the tunnel).
I have heard that people have applied adjust-mss to tunnel interfaces and that it worked. Since I have not tested or applied in this way I can not comment one way or the other. Let us know if you do try it how it did work on tunnels.
HTH
Rick
10-06-2004 06:29 PM
The Unreachable needed DF bit message will not necessarily cause the end device to alter the MTU and so the frame will simply be dropped. You should clear the DF bit to prevent this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide