Contributor

Question

Can' t ping oversized icmp traffic

Forum|Forum|14 years ago
July 14, 2011
5 replies
12043 views

Hi We have 2 subnet with 2 fortigate bridged with VPN ipsec. When I try to ping oversized packet between the 2 subnet that don' t work. But standard ping work. ping 192.168.5.5 -l 2048 I need this to troubleshoot a network problem. (http://www.eggheadcafe.com/microsoft/Windows-Group-Policy/31759765/userenv-event-id-1054--userenvlog-dsgetdcname-failed-with-59.aspx) Thank

ede_pfau

SuperUser

Hi, and welcome to the forums. Look at this from my FGT:

   E:\>ping  192.168.40.3 -l 3072    Pinging 192.168.40.3 with 3072 bytes of data:    Reply from 192.168.40.3: bytes=3072 time=133ms TTL=126  Reply from 192.168.40.3: bytes=3072 time=134ms TTL=126  Reply from 192.168.40.3: bytes=3072 time=133ms TTL=126  Reply from 192.168.40.3: bytes=3072 time=133ms TTL=126    Ping statistics for 192.168.40.3:      Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),  Approximate round trip times in milli-seconds:      Minimum = 133ms, Maximum =  134ms, Average =  133ms

This is a plain vanilla IPSec VPN tunnel to a FGT in a different city. I tested with tunnel initially down or up, same result.

emnoc

New Member

Do you have the DF bit set or not in the L3 header? You could tcpdump this to determine the condition. On linux or most unixes, you can set the DF ( don' t frag bit). I bet this is a DF bit issus, causing the packets to drop and I bet it starts around 1472bytes if I had to guess e.g ping -M do -s 1480 " target-host-on-the-far-side.addr" ping -M donot -s 1480 " target-host-on-the-far-side.addr" Good luck

A

Anonymous_UserAuthor

Contributor

Where can I found the DF bit in the shell of fortigate?

A

Anonymous_UserAuthor

Contributor

The biger packet I can send is 1410 byte

emnoc

New Member

have you inspected the source(s) and if the DF bit is set of not? tcpdump -vvv src host " insert host" or tshark -V src host " insert host" and dst host " xxx.yyy.zzz.aaaa" and monitor the packet DF bit setting. If the Df bit are toggled high, the traffic could be dropped pre-tunnel encapsulation. Path MTU is probably broken due to the VPN/ipsec and the hosts are not even aware of the VPN Tunnel.

rwpatterson

New Member

Try bringing the ' tcp-mss' size down to 1400. That would leave 100 bits for encapsulation and other header information. 1500 should still be max packet size. Configure that on the interface.

  config system interface      edit " port1"           set vdom " root"           set ip 192.168.2.1 255.255.255.0          set allowaccess ping https ssh snmp telnet          set type physical          set tcp-mss 1400          set description " Inside (gateway) interface"           set alias " LAN"       next  end

A

Anonymous_UserAuthor

Contributor

I put the tcp-mss to 1400 but it did nothing. I forget to say that I have activated the ipsec tunnel as an interface.

ede_pfau

SuperUser

IMHO you are focusing on the wrong device. The router(s) which interfaces to the WAN line(s) are not set up correctly if they prohibit large packets. There is an overhead of 28 bytes (not bits) for the UDP encapsulation so packets have to be fragmented when leaving the WAN interface. I don' t think you should manipulate the FGTs to force a smaller packet size - all it does it fragment earlier. And then the router blocks fragmented packets again. So it' s either your router or the router port of your ISP which you have to check - they need to allow fragmented packets.

A

Anonymous_UserAuthor

Contributor

The router is the fortigate. Fortigate is directly linked to the dsl modem. Probably that my ISP how limit the large packets... I' ll check for a workaround solution... Thank

emnoc

New Member

did you try a ping with the DF bit set? and not thru the tunnel? remember the DSl is probably reducing the MTU size due to the overhead with DSL. typically 1492 would be the typical MTU for DSL. What does your DSL have configured ?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded