Forum Discussion
kridsana
Cirrocumulus
CirrocumulusHow to clear Don't Fragment (DF) bit
there is some virtual server that have a problem that
packet segment lost when MTU = 1500
so i want to clear DF bit to fix this problem , and how to clear it?
thank you
kridsanaOh my god , I can't read other page T-T
Can you read second page? please send url link to me by pm . I hope it help (a little bit). T-T
What_Lies_Bene1Cirrostratus
The second page issue is known, hopefully it's being worked on.
Regarding the CheckPoint, perhaps it has a lower MTU on one of the interfaces involved? 1500 Byte PINGs should be fine and shouldn't cause issues. Also, perhaps you can do whatever necessary to enable PMTUD?
HamishAre you using 1500 Byte packet size? Or ping -s 1500 which will send 2x packets as it's specifying 1500Bytes of DATA in the ping... (WHich of course doesn't fit if your MTU is 1500).
However as WLB says above, perhaps you have Jumbo frames configured on one side of checkpoint and 1500 on the other (WHich would generate the WOULD FRAGMENT in response to tryiung to forward a packet > 1500Bytes [1514 including the MAC addresses and type] from a jumbo frame interface to an interface with a 1500Byte (Or smaller) MTU).
H- HamishFWIW I just fixed an issue with checkpoint firewalls and MTU issues.. There's a known bug in checkpoint with some intel 10Gb network cards using the ixgbe drivers..
It happens when coalescing goes a bit mad. The ixgbe drivers will take incoming packets and coalesce them into bigger (i.e. Jumbo) packets... This appears to go a bit mad on some of their kit (There's an sk note and a workaround (Set the timers to 0 for coalescing). Sometimes the workaround doesn't work and you need to get an updated driver.
To diagnose, do a tcpdump on the firewall. Even though you have a 1500 Byte MTU on the inbound interface you'll see packets > 1514 bytes being accepted (Small lie they're two packets coalesced).
H - HamishThe checkpoint sk note is sk62847 BTW...
H - kridsanaNow , I'm testing ICMP packet behavior from My computer to F5.
when I ping <1472 bytes to F5 ..I see ICMP request and ICMP reply is DF bit clear
when I ping >1472 bytes to F5 .. I see ICMP request and ICMP reply is DF bit clear too (more fragmented is set instead)
DF bit will set only when F5 send ping request to my computer.
but this issue .... F5 set DF bit in ICMP reply!! (so router drop it when ICMP reply payload is more than 1472 bytes , cause it's can't fragmented , and router send ICMP type 3 code 4 to tell F5 for Fragmented need) .... Is it strange or normal for DF bit is set in ICMP reply? Should I post tcpdump here or is it should to be secret for customer?
please correct me , thank you - kridsanaUpdate : I've change BIG-IP version into 10.2.4 595 HF3 to test.
so I found when I ping from my computer > virtual server (or self ip) ... F5 send ICMP reply with DF bit set. (at first it's my mistake to ping to mgmt) 
nitassEmployee
[root@ve10:Active] config b db TM.PathMTUDiscovery TM.PathMTUDiscovery = enable [root@ve10:Active] config tcpdump -nni 0.0 -s0 icmp -v tcpdump: listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes 20:17:08.139335 IP (tos 0x0, ttl 125, id 9480, offset 0, flags [none], proto: ICMP (1), length: 60) 192.168.206.33 > 172.28.19.252: ICMP echo request, id 1, seq 231, length 40 in slot1/tmm0 lis= 20:17:08.139355 IP (tos 0x0, ttl 255, id 552, offset 0, flags [DF], proto: ICMP (1), length: 60) 172.28.19.252 > 192.168.206.33: ICMP echo reply, id 1, seq 231, length 40 out slot1/tmm0 lis= [root@ve10:Active] config b db TM.PathMTUDiscovery disable [root@ve10:Active] config b db TM.PathMTUDiscovery TM.PathMTUDiscovery = disable [root@ve10:Active] config tcpdump -nni 0.0 -s0 icmp -v tcpdump: listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes 20:17:44.423307 IP (tos 0x0, ttl 125, id 9576, offset 0, flags [none], proto: ICMP (1), length: 60) 192.168.206.33 > 172.28.19.252: ICMP echo request, id 1, seq 234, length 40 in slot1/tmm0 lis= 20:17:44.423336 IP (tos 0x0, ttl 255, id 572, offset 0, flags [none], proto: ICMP (1), length: 60) 172.28.19.252 > 192.168.206.33: ICMP echo reply, id 1, seq 234, length 40 out slot1/tmm0 lis=- kridsanaPosted By nitass on 01/07/2013 04:28 AM
[root@ve10:Active] config b db TM.PathMTUDiscovery TM.PathMTUDiscovery = enable [root@ve10:Active] config tcpdump -nni 0.0 -s0 icmp -v tcpdump: listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes 20:17:08.139335 IP (tos 0x0, ttl 125, id 9480, offset 0, flags [none], proto: ICMP (1), length: 60) 192.168.206.33 > 172.28.19.252: ICMP echo request, id 1, seq 231, length 40 in slot1/tmm0 lis= 20:17:08.139355 IP (tos 0x0, ttl 255, id 552, offset 0, flags [DF], proto: ICMP (1), length: 60) 172.28.19.252 > 192.168.206.33: ICMP echo reply, id 1, seq 231, length 40 out slot1/tmm0 lis= [root@ve10:Active] config b db TM.PathMTUDiscovery disable [root@ve10:Active] config b db TM.PathMTUDiscovery TM.PathMTUDiscovery = disable [root@ve10:Active] config tcpdump -nni 0.0 -s0 icmp -v tcpdump: listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes 20:17:44.423307 IP (tos 0x0, ttl 125, id 9576, offset 0, flags [none], proto: ICMP (1), length: 60) 192.168.206.33 > 172.28.19.252: ICMP echo request, id 1, seq 234, length 40 in slot1/tmm0 lis= 20:17:44.423336 IP (tos 0x0, ttl 255, id 572, offset 0, flags [none], proto: ICMP (1), length: 60) 172.28.19.252 > 192.168.206.33: ICMP echo reply, id 1, seq 234, length 40 out slot1/tmm0 lis=Thank you. So it's a way to clear DF bit in reply packet. But I've something on my mind.
Is disable PMTUD affect another traffic? because for all i know this problem affect only one virtual server and only icmp traffic.
- nitassIs disable PMTUD affect another traffic?bigip would relay fragmentation needed packet between client and server.
by the way, i agree with Hamish that you should find where fragmentation needed packet is dropped.