PMTUD is broken

ZlatkoBN1 · ‎11-01-2009

Hi all,

I tried to solve problem with fragmentation and configured parameters as below. The same is on the router on the other side.

interface Tunnel0

ip mtu 1438

tunnel path-mtu-discovery

...

I configured GRE over IPSEC (transport mode), and problem is PMTUD. It seem to be broken. I don't have firewall between router. Ping to other side with large packet and set DF bit is unsuccesful. With sniffer I saw one ICMP request sent and received ICMP unreachable packet but subsequent ping packets is again unsuccesful and ping packets was not seeing with sniffer.

Any suggestions is helpfull!

andrew.prince · ‎11-02-2009

99% of the time the PMTUD issue is with the local/remote end machines = Windows.

Basically in my experiance it just does not work, and it's a windows issue not a network issue.

To get around it you should consier:-

1) Change the MTU on the machine NIC's (does not scale so good in a large network)

2) take advantage of the tcp-mss-adjust feature in most cisco platforms.

3) Write a policy to remove to set the DF bit to 0

HTH>

lgijssel · ‎11-02-2009

Please check the following document. It may help to resolve your issue:

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

regards,

Leo

Panos Kampanakis · ‎11-02-2009

This will not work.

The reason is that even if Windows see the "ICMP unreachable" it will not change its ping size. The ping was set to be sent with big payload and Windows will keep sending it that way, causing it to fail.

The unreachable is sent to alert the client so it sends smaller packets. In case this was TCP then the Windows device should changes it MSS and send smaller payloads.

I hope it makes sense.

PK