[61986] in North American Network Operators' Group
Re: 92 Byte ICMP Blocking Problem
daemon@ATHENA.MIT.EDU (Chris Adams)
Fri Sep 12 14:33:09 2003
Date: Fri, 12 Sep 2003 13:32:43 -0500
From: Chris Adams <cmadams@hiwaay.net>
To: "Steven M. Bellovin" <smb@research.att.com>
Cc: Nanog <nanog@nanog.org>
Mail-Followup-To: Chris Adams <cmadams@hiwaay.net>,
"Steven M. Bellovin" <smb@research.att.com>, Nanog <nanog@nanog.org>
In-Reply-To: <20030912181642.10CD97B43@berkshire.research.att.com>
Errors-To: owner-nanog-outgoing@merit.edu
Once upon a time, Steven M. Bellovin <smb@research.att.com> said:
> In message <20030912175258.GB616832@hiwaay.net>, Chris Adams writes:
> >Yes. As soon as we put the policy route map in place, we had some
> >people unable to talk via SSH, SMTP, or POP3. It was random: one person
> >here in the office couldn't SSH to a particular server. He could SSH to
> >other servers, and the rest of us could SSH to the server he could not.
> >We had similar experiences with SMTP and POP3. When we took the policy
> >route map back out, the problems went away.
> >
> >This is with IOS 12.0(25)S1 on a 7513 doing dCEF. We put the policy
> >route map on the FE interface linking this router to the POP core
> >router; this router has MC-T3 interfaces and ethernets to Ascend TNTs
> >and such. The intent was to stop the 92 byte ICMP echos from reaching
> >the Ascend TNTs, since several of them were rebooting constantly.
>
> I wonder if it's a Path MTU problem. Can you turn off Path MTU on some
> of the affected hosts and see if it solves the problem?
I don't have it in place anymore (because it caused more problems than
it fixed), so I can't test this. In any case, the route map only
matched 92 byte ICMP echo and ICMP echo-reply packets, which is not what
PMTU uses, so it shouldn't have had a problem. Also, I know that the
MTU along the path for the person in the office is the same all the way,
so PMTU shouldn't come into play there.
--
Chris Adams <cmadams@hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
