Forum Discussion

Abed_AL-R's avatar
Abed_AL-R
Icon for Cirrostratus rankCirrostratus
Jan 22, 2025

ICMP (Fragmentation needed) Between Firewall and LTM

We have been working for a while with Fortinet about an issue between the firewall and the LTM (r10600 with tenant 15.1.9.1), this issue is causing a loop with some ICMP packets. The flow goes like ...
firewall
LTM
R10600
VGF5's avatar
VGF5
Icon for Cumulonimbus rankCumulonimbus
Jan 23, 2025

Since PMTUD is already enabled and the routing table is correctly configured via dynamic routing protocols (BGP and OSPF), the problem might lie elsewhere. You could start by verifying the settings related to how the F5 LTM handles ICMP error messages using the tmsh show sys icmp-errors command to ensure that the system is not set to drop or mishandle ICMP Type 3, Code 4 messages. Creating specific rules or profiles to handle ICMP traffic, such as using an iRule or modifying the virtual server settings, might help ensure that ICMP messages are properly processed. Although adjusting the TCP MSS might seem risky in an enterprise environment, performing a controlled test during a maintenance window could be a viable option. Alternatively, ensure that the MTU settings on both the firewall and the F5 LTM are correctly configured and consistent. Increasing the debug level for ICMP and PMTUD-related logs temporarily could provide more detailed information to pinpoint why the ICMP messages are being looped. Reviewing the virtual server and pool configurations to ensure proper handling of ICMP traffic and considering a temporary static route for the specific problematic traffic could also help in isolating the issue. While waiting for the upgrade, check for any hotfixes or patches available for your current version (15.1.9.1) that address this specific issue. 

Refer below Article:
https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/relnote-supplement-bigip-15-1-9-1.html 

Abed_AL-R's avatar
Abed_AL-R
Icon for Cirrostratus rankCirrostratus
Jan 23, 2025

Thank you. As much as I appreciate your try to help, and indeed I do, but this is not helping us to make a progress with this weird issue.

The tmsh show sys icmp... is showing drops, not error, not loops, or what so ever. So this command does not help

The TCP-MSS, is not about a maintinance window, because in this environment it would not help. It might fix one site, and corrupt others.

Hence PMTUD is enabled, and hence there is no routing issue, and hence still there is a loop, and hence issue replicated by Fortinet TAC support without a n F5 LTM device and thre result was there is no issue, we would like to know what could be improved in LTM so this issue disappears.