Forum Discussion
CirrusCan not ping any self ip or VS with MTU 1500.
My plate form is F5 LTM 5000s with V 11.4.1. I can not ping any selp ip or vs with ping size 1500 I can ping with 1454 but not with any thing larger. MTU in vlan is configured to 1518. How to solve this problem? Documentation shows that 1800 is supported on all plate forms.
I know this is not the issue of slow performance in case of https but still I want to remove his concern. how to enable this.
12 Replies
Muhammad_Irfan1The link between nexus 5K (cisco) and F5 is 10G and MTU 1500 ping works in cisco. just for infoThis is by design. As part of a DDoS mitigation strategy, ICMP frames cannot, by default, be larger than 1500 bytes. There is a db key that allows larger sizes. Please open an F5 Support case. The support engineer can provide you with the appropriate key and details.
Aung_Thurein_72Nimbostratus
https://support.f5.com/kb/en-us/solutions/public/15000/300/sol15396.html
VernonWellsEmployee
This is by design. As part of a DDoS mitigation strategy, ICMP frames cannot, by default, be larger than 1500 bytes. There is a db key that allows larger sizes. Please open an F5 Support case. The support engineer can provide you with the appropriate key and details.
- Aung_Thurein_72https://support.f5.com/kb/en-us/solutions/public/15000/300/sol15396.html
- Cristian_Gal_12
You can change the MTU for a specific VLAN in the Network configuration. Select VLAN and a specific vlan in order the change the MTU.
- Muhammad_Irfan1I have already changed it but its not working, I think this is for actual data packet not ICMP packets.
- What_Lies_Bene1
Cirrostratus
To be sure you'll need to check the MTU end to end from client to F5, something in the path may have a lower MTU.
Note MTU size on the F5 does excludes Ethernet headers so a value of 1500 should be fine (rather than 1518).
If you really want a larger MTU and want ICMP to work with it, let me know and I can supply the db key you need and save you a call.
- What_Lies_Bene1
That link works fine for me. If the VLAN MTU is already 1500 I don't see why increasing it will help. There must be something else with a lower MTU, I'd highly suggest you investigate elsewhere.
mk-infra-netopsI am having the same issue. I cannot ping anything with a 1472 byte packet (plus paylod=1500). It's only going at 1554, like it's getting an extra Ethernet header somewhere. Is this an issue or just the F5 behaving differently by some design than any other Linux machine where 1472 makes it through. This isn't about being able to send more than 1500 bytes, it's about just getting that. Having some performance issues and if the F5 is fragmenting that could explain why we see a considerable delta between going direct to a sever VS to a F5 LTM VIP. Anyone got a good answer for this one. None of the answers so far are actually valid to the problem we are seeing. FYI: Experiencing this is on a Viprion 2100 on a VCMP guest on 11.4.1.- Muhammad_Irfan1I was unable to resolve this problem. Although its not effecting my traffic, This behavior is for ICMP packets to prevent DoS attack. Once you set MTU in vlan to greater, data packets will not be fragmented.
- Aung_Thurein_72
This is due to DoS protection feature as mentioned by Vernon. It is explained in this solution article .
https://support.f5.com/kb/en-us/solutions/public/15000/300/sol15396.html
The solution explains about how to change/increase this maximum limit. The default value for dos.maxicmpframesize is 1500.
However, that does not mean that it will allow the ICMP payload of 1500. Max ICMP echo payload length is only 1454 which is a result of 1500 - 18 (Ethernet Header) - 20 (IP Header) - 8 (ICMP Echo Request header) .
If you want to allow ping tests with larger payloads, increase the db variable to the appropriate value.
