F5 setting don't fragment bit

Question

am running into a situation where it appears the F5 is setting the don't fragment bit of a packet that didn't have it set initially. what can be causing this? is there a way to turn this off?&nbsp;

hamish · Answer

Well... The BigIP is a proxy... So the packet that didn't have it set initially isn't actually the original packet... However I'd have expected that option to be part of the TCP profile. And I notice it isn't... Possibly because in IPv6 it isn't an option... 
&nbsp;  
&nbsp; Do you have an explicit reason for allowing packets without DNF set? Fragmentation in the network isn't good. Most sensible firewalls will drop fragments by default (They're too good a vector for a DOS attack). I find path-mtu discovery to be a much better proposition (However it does require network and firewall admins who know what they're doing). 
&nbsp;  
&nbsp; H

boneyard · Answer

well the application behind the f5 uses it. might it be the path-mtu discovery that causes the bit to be set?

hamish · Answer

Ah. yes. Path-MTU REQUIRES the DNF bit to be set... That's how it detects the requirement for the MTU to be adjusted (As you get back an ICMP error indicating the MTU that is necessary to cross a link when a packet can't be fragmented). 
&nbsp;  
&nbsp; Sorry, thought you had an issue with the DNF being set somewhere. 
&nbsp;  
&nbsp; H

Forum Discussion

F5 setting don't fragment bit

Recent Discussions

ip x-forwarding

F5 ASM API-Protection Policy

ports are showing open on online scanning tool

Upgrade F5 BIGIP

DNS HM Probe issue

Related Content

Setting up persistence in F5 XC

Setting up BIG-IP with AWS CloudHSM

Set HTTP version

Virtual Fragmentation Should Not Result in Network Fragmentation

Setting up F5 Telemetry Streaming with Splunk Cloud

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS