[61985] in North American Network Operators' Group
Re: 92 Byte ICMP Blocking Problem
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Fri Sep 12 14:17:13 2003
From: "Steven M. Bellovin" <smb@research.att.com>
To: Chris Adams <cmadams@hiwaay.net>
Cc: Nanog <nanog@nanog.org>
In-Reply-To: Your message of "Fri, 12 Sep 2003 12:52:58 CDT."
<20030912175258.GB616832@hiwaay.net>
Date: Fri, 12 Sep 2003 14:16:41 -0400
Errors-To: owner-nanog-outgoing@merit.edu
In message <20030912175258.GB616832@hiwaay.net>, Chris Adams writes:
>
>Once upon a time, Richard J.Sears <rsears@adnc.com> said:
>> Since then, we have been hammered with customer complaints concerning
>> the inability to talk to mail servers and ssh to their servers, as well
>> as other weird network issues, all centering around the time we started
>> blocking 92 Byte ICMP packets.
>>
>> Has anyone else seen this, and if so, is the only resolution to stop the
>> blockage of 92 Byte ICMP Packets..?
>
>Yes. As soon as we put the policy route map in place, we had some
>people unable to talk via SSH, SMTP, or POP3. It was random: one person
>here in the office couldn't SSH to a particular server. He could SSH to
>other servers, and the rest of us could SSH to the server he could not.
>We had similar experiences with SMTP and POP3. When we took the policy
>route map back out, the problems went away.
>
>This is with IOS 12.0(25)S1 on a 7513 doing dCEF. We put the policy
>route map on the FE interface linking this router to the POP core
>router; this router has MC-T3 interfaces and ethernets to Ascend TNTs
>and such. The intent was to stop the 92 byte ICMP echos from reaching
>the Ascend TNTs, since several of them were rebooting constantly.
I wonder if it's a Path MTU problem. Can you turn off Path MTU on some
of the affected hosts and see if it solves the problem?
--Steve Bellovin, http://www.research.att.com/~smb
