Forum Discussion
kridsana
Cirrocumulus
CirrocumulusHow to clear Don't Fragment (DF) bit
there is some virtual server that have a problem that
packet segment lost when MTU = 1500
so i want to clear DF bit to fix this problem , and how to clear it?
thank you
kridsanaAnd you have re-enabled PMTU yes?Now PMTU is enabled, customer didn't want to disable cause it'll affect other virtual server.
you do see it in tcpdump, don't you? have you provided support the tcdpump? it is C1263209, isn't it? what is the tcpdump filename?Yes I do, I provide file in C1263209 which name is tcpdumpfiles.tar.gz (extract and take a look in mt-0110-1000.pcap (01/10/2012 time 10.00)) .
What_Lies_Bene1Cirrostratus
OK, so to clarify, you see the correct ICMP Fragmentation Needed message come from the firewall and it contains a lower MTU value but the F5 continues to send larger packets? I'm sure Nitass has asked before but have you also run the show net cmetric command to confirm what MTU is shown there after you see the ICMP Fragmentation Needed message.
Even if it's not updated there, do you see the F5 continue to send packets larger than the lower MTU to the firewall or not?
I doubt your ping tests are really a valid way of testing this. Can you not use a client/browser on the other side of the firewall and request some content that should result in packets that are 1500 bytes?
nitassEmployee
after F5 reassemble TCP , it send packet 1500 to client but checkpoint drop it and return ICMP fragmentation needed to F5 with MTU next hop 1476.don't you see bigip resend packet with lower length?
e.g.
in mt-0110-1000.pcap, packet 133 has 1460 tcp length. packet 136 and 137 have 1396 and 64 tcp length respectively. 1460 is 1396 + 64. 117.176.110.113 mac address belongs to f5.No. Time Delta Time Source Src port Destination Protocol Dst port Window BiF Vlan id Length Info 133 2012-10-01 10:38:48.570136 0.000000 10.153.1.13 80 117.176.110.113 TCP 4394 6848 1460 109 1518 [TCP segment of a reassembled PDU] 135 2012-10-01 10:38:48.570136 0.000000 10.151.25.1 80 10.153.1.13 ICMP 4394 109 74 Destination unreachable (Fragmentation needed) 136 2012-10-01 10:38:48.570136 0.000000 10.153.1.13 80 117.176.110.113 TCP 4394 6848 1621 109 1454 [TCP Out-Of-Order] 80 > 4394 [ACK] Seq=3441923333 Ack=2282044611 Win=6848 Len=1396 137 2012-10-01 10:38:48.570136 0.000000 10.153.1.13 80 117.176.110.113 TCP 4394 6848 1621 109 122 [TCP Out-Of-Order] [TCP segment of a reassembled PDU]- kridsanaPosted By nitass on 01/18/2013 11:53 PM after F5 reassemble TCP , it send packet 1500 to client but checkpoint drop it and return ICMP fragmentation needed to F5 with MTU next hop 1476. don't you see bigip resend packet with lower length? e.g. in mt-0110-1000.pcap, packet 133 has 1460 tcp length. packet 136 and 137 have 1396 and 64 tcp length respectively. 1460 is 1396 + 64. 117.176.110.113 mac address belongs to f5.
No. Time Delta Time Source Src port Destination Protocol Dst port Window BiF Vlan id Length Info 133 2012-10-01 10:38:48.570136 0.000000 10.153.1.13 80 117.176.110.113 TCP 4394 6848 1460 109 1518 [TCP segment of a reassembled PDU] 135 2012-10-01 10:38:48.570136 0.000000 10.151.25.1 80 10.153.1.13 ICMP 4394 109 74 Destination unreachable (Fragmentation needed) 136 2012-10-01 10:38:48.570136 0.000000 10.153.1.13 80 117.176.110.113 TCP 4394 6848 1621 109 1454 [TCP Out-Of-Order] 80 > 4394 [ACK] Seq=3441923333 Ack=2282044611 Win=6848 Len=1396 137 2012-10-01 10:38:48.570136 0.000000 10.153.1.13 80 117.176.110.113 TCP 4394 6848 1621 109 122 [TCP Out-Of-Order] [TCP segment of a reassembled PDU]I see, packet seem appear out-of-order and it's confused.
e.g. packet 136 is retransmit in 1436 byte but packet 134 is HTTP/200 OK reassemble of packet 133,137,134 (not packet 136??) but this seem fine.
thank you
- Muhammad_Irfan1
Cirrus
I can not ping any Self ip or vs with MTU 1500. Please tell me db key to be able to ping with ICMP MTU 1500.