PMTU not working?

Forum|Forum|9 years ago
February 23, 2017
1 reply
4967 views

I have issues with duplicate acks through the IPSEC tunnels of a customer of mine. When trying to figure out what's going on, I see that packets that are too big (DF set) are being silently dropped, whereas the sender should receive an ICMP message. In the attached pcap (renamed to be able to upload), I send 5 icmp packets with payload 1418B, and then 5 packets with payload 1419B. The latter should not work, but the sender does not get any warning of this.

Is it like this for any good reason, or is it just a bad implementation?

FortiOS 5.2.3. IPSEC MTU 1446B.

df_pcap.txt

btpAuthor

New Member

An update - I have similar setup on 5.2.7 on FG1000D and FG1200D - and this works fine: when I ping with too large packets (df-bit no), they get fragmented and assembled on the other side, as they should. On the FG300D running 5.2.3 the packet just disappears - with no message to the sender.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded