Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
narendra_prasad
New Contributor

Getting error of need frag (MTU 1500)

Dear Support, actually we are sending mail from SAP server using any SAP application but getting attached error on sniffing. 192.168.111.24 is SAP server' s IP and 192.168.118.22 mail server' s IP please check the same and suggest any solution for the same and let us know what exactly the problem is when checking via sniffer then getting below result 352.027792 192.168.118.22 -> 192.168.111.24: icmp: 192.168.118.22 unreachable - need to frag (mtu 1500)
Narendra Prasad
Narendra Prasad
3 REPLIES 3
emnoc
Esteemed Contributor III

Dump on the traffic between the 2 hosts, you have the DF-bit set and the packet is to large. So the icmp.type 3 code 4 message is being sent back to you. You have a few options and one is simple, use the fwpolicy to set the mss value on traffic between the src/dst address i.e ( set tcp-mss-sender | receiver ) or clear the DF-bit so the packet can be fragment.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
narendra_prasad
New Contributor

how can i clear DF-Bit from my end. and how can i check the current ' tcp-mss' value for any policy
Narendra Prasad
Narendra Prasad
emnoc
Esteemed Contributor III

1: the set tcp-mss-sender/receiver is done per fwpolicy and not enabled by default it' s also done via the cmd line 2: You can clear the df-bit at the host and iirc I think within a fwpolicies, let jump into a firewall and confirm that. You also can easily do the same with a service-policy map within cisco IOS. So if you any firewalls or switches that are L3, you can craft policy and apply it ahead of the firewall to clear the df-bit. B4 you waste all of that time, you need to get the mss value ( tcpdump ' tcp[13]==02' ), that' s being sent and then adjust it with firewall policy after you know what your sending and receiving i.e config firewall policy edit 445 set srcintf " LAN01" set dstintf " EXT02" set srcaddr " MWEBAPPNET01" set dstaddr " any" service " HTTP,HTTPS" set tcp-mss-sender 1436 set tcp-mss-receiver 1436 set comments " set mss for all webtraffic , due to our DDoS gre tunnel limits" next end

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors