Forum Discussion
boneyard
Jul 17, 2012MVP
F5 setting don't fragment bit
am running into a situation where it appears the F5 is setting the don't fragment bit of a packet that didn't have it set initially. what can be causing this? is there a way to turn this off?
Hamish
Jul 17, 2012Cirrocumulus
Well... The BigIP is a proxy... So the packet that didn't have it set initially isn't actually the original packet... However I'd have expected that option to be part of the TCP profile. And I notice it isn't... Possibly because in IPv6 it isn't an option...
Do you have an explicit reason for allowing packets without DNF set? Fragmentation in the network isn't good. Most sensible firewalls will drop fragments by default (They're too good a vector for a DOS attack). I find path-mtu discovery to be a much better proposition (However it does require network and firewall admins who know what they're doing).
H
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects