Hello,

If you want to test whether ICMP Fragmentation Needed messages are being sent from a router as a response to an oversized packet, do not send oversized packets from that router itself. That router is not going to send ICMP Unreachables to itself. Instead, you should send oversized packets from a different device that just routes through your router you want to test.

Best regards,

Peter

Hi Peter, Thanks for your input. I have already tried that and got a similar response - ie, it looks like they are not sent by the router.

For clarity I should also mention I've captured the packets in/out of the router and don't see any unreachables being sent when I send frames too large for the MTU on the link with the DF flag set.

Hello Jake,

The ICMP Fragmentation Needed will be sent when a packet with DF set arrives to a router and should be sent out a different interface whose MTU is smaller than the packet's size. Note that the packet must first be accepted, i.e. its size must not be larger than the incoming interface's MTU. What you did, if I understand you correctly, was basically a MTU mismatch on a single link. These MTU mismatches on a single link are not handled by ICMP; in fact, they are considered a grave misconfiguration.

What you need to do is to send a packet that will be accepted by the router on the incoming inteface but that is too large for the outgoing interface where the router tries to forward it through.

Best regards,

Peter

Hi Peter,

I'm not sure you understood correctly at all?

I'm trying to send a packet that is too large for the MTU on a tunnel, and I'm expecting to get an ICMP unreachable (type 3, code 4) back, but this is not happening and the packets are dropped even though the interfaces are configured to send ICMP unreachables, which seems strange. There is no misocnfiguration as far as I can tell, and one end of the tunnel config is shown above. The other end is configured similarly (except for the platform and IOS) and the same test from the other side of the tunnel produces ICMP unreachables.

This issue only affects A-symetric traffic as I have configured the mss tcp value to a relavant size for the IP mtu on the link (as you can see from the config). So PMTUD is not required in this instance, but for a-symetric traffic the mss is only rewritten in the header in one direction so PMTUD is required. For PMTUD to work we require the router to send ICMP unreachables which it is not doing.

I hope this clarifies the issue.

Hi,

I admit I am having troubles understading where the oversized packets are originated and on which interface are they supposed to be dropped, along with ICMP unreachables being generated as a result. Please understand that you know your network topology and the environment; I do not - so far, I only know that you are pinging from somewhere to somewhere else and you expect ICMP unreachables to somehow be generated at some point in the network. I am struggling to understand your topology; there is not much information about it in your posts so far.

Do you believe you could draw a quick topology sketch that indicates the position of the sender of the oversized packets and the interface whose MTU is lower?

Best regards,

Peter

Here you go Peter, obviously the IP addresses are invalid. Quite simple really.

Hello,

Thank you. This really helps.

This may be a blind shot but notice that on R1, your tunnel is not configured with ip mtu 1476 command while R2 is. Although the MTU on GRE tunnels should be decreased automatically, the default setting differs between different IOS versions. Can you try configuring this command on the R1's tunnel please and repeating your experiment?

Thank you!

Best regards,

Peter

Hi Paul, Unfortunately I tried that day one, and the behavior in this version of IOS is to not display that command in the config. The command tunnel path-mtu-discovery effectively enables MTU negotiation so the interface always should have the correct MTU, as can be seen from the below output (which was also posted above).

#sho ip int t0

Tunnel0 is up, line protocol is up

  Internet address is 1.1.2.17/29

  Broadcast address is 255.255.255.255

  Address determined by non-volatile memory

  MTU is 1476 bytes

  Helper address is not set

  Directed broadcast forwarding is disabled

  Outgoing access list is not set

  Inbound  access list is not set

  Proxy ARP is enabled

  Local Proxy ARP is disabled

  Security level is default

  Split horizon is enabled

  ICMP redirects are never sent

  ICMP unreachables are always sent

  ICMP mask replies are never sent

  IP fast switching is enabled

  IP CEF switching is enabled

  IP CEF switching turbo vector

  IP Null turbo vector

  Associated unicast routing topologies:

        Topology "base", operation state is UP

  IP multicast fast switching is enabled

  IP multicast distributed fast switching is disabled

  IP route-cache flags are Fast, CEF

  Router Discovery is disabled

  IP output packet accounting is disabled

  IP access violation accounting is disabled

  TCP/IP header compression is disabled

  RTP/IP header compression is disabled

  Probe proxy name replies are disabled

  Policy routing is disabled

  Network address translation is disabled

  BGP Policy Mapping is disabled

  Input features: CEF Packet Capture, MCI Check, TCP Adjust MSS

  Output features: IP Post Routing Processing, TCP Adjust MSS, HW Shortcut Installation

  Post encapsulation features: MTU Processing, IP Protocol Output Counter, IP Sendself Check, HW Shortcut Installation, CEF Packet Capture

  WCCP Redirect outbound is disabled

  WCCP Redirect inbound is disabled

  WCCP Redirect exclude is disabled

Hello Jake,

you need to configure "ip unreachables" on the egress L3 interface towards the host.

Thanks.