ICMP (Fragmentation needed) Between Firewall and LTM

Question

We have been working for a while with Fortinet about an issue between the firewall and the LTM (r10600 with tenant 15.1.9.1), this issue is causing a loop with some ICMP packets.

The flow goes like this:

internet (ISP) --- firewall --- LTM --- customer network (client)

So yes, the LTM is in the middle between the client and the firewall

So to be much clear, the client is sufing the internet through the LTM up ot the firewall, and then traffic sent to ISP.

The issue:

When client tries to reach the internet, for some packets, we noticed a packets with fragmentation issue.

Packets captured with "ICMP Frag Needed" on the firewall which has been sent to the LTM, for some reason the LTM is sending it back to the firewall, causing a loop.

According to F5 the routing table, the next hop for 10.0.0.0/9 is the client, but it does not check the routing table for those kind of packets "ICMP Frag Needed"

In F5 we see a lot of "need to frag" ICMP messages:

[root@f5-r10600-abc:Active:Standalone] config # tcpdump -i Internet 'icmp[0] = 3' | grep "need to frag"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on Internet, link-type EN10MB (Ethernet), capture size 65535 bytes
14:15:25.497395 IP 72.246.151.107 > 10.76.174.197: ICMP 72.246.151.107 unreachable - need to frag (mtu 1448), length 556 in slot1/tmm0 lis=
14:15:25.497399 IP 72.246.151.107 > 10.76.174.197: ICMP 72.246.151.107 unreachable - need to frag (mtu 1448), length 556 in slot1/tmm0 lis=
14:15:25.498314 IP 72.246.151.171 > 10.51.131.240: ICMP 72.246.151.171 unreachable - need to frag (mtu 1448), length 556 in slot1/tmm0 lis=

We are concerned that the F5 is not behaving accordingly to this kind of ICMP traffic.

We read some articles about PMTUD while not being sure if this is the issue:

https://my.f5.com/manage/s/article/K000138230

https://my.f5.com/manage/s/article/K13948

We tried the TAC support but we have 15.1.9.1 and it is EOS two weeks ago

an upgrade will be done but only next month, and I don't this will be solved by an upgrade.

Has anyone faced this issue?

Thanks

vishnugatla · Answer

Hello AbedThe issue you're experiencing with ICMP "Fragmentation Needed" messages causing a loop between your Fortinet firewall and the F5 LTM is indeed a challenging one but not uncommon in complex network setups. The problem appears to be related to Path MTU Discovery (PMTUD) and how the F5 LTM handles ICMP "Fragmentation Needed" messages.Path MTU Discovery (PMTUD) is a mechanism used to determine the maximum transmission unit (MTU) size on the path between two IP hosts, ensuring that IP packets are transmitted without the need for fragmentation. When a packet exceeds the MTU size, an ICMP "Fragmentation Needed" message is sent back to the sender, indicating that the packet needs to be fragmented or resized to fit the MTU.In your case, it seems that the F5 LTM is not properly handling these ICMP messages and is instead sending them back to the firewall, causing a loop. This can happen if the LTM's routing table or PMTUD configuration is not properly set up to handle these messages.Enable PMTUD on F5 LTMtmsh modify sys db tm.pmtud.enable value trueCheck and Adjust MTU Settingstmsh list net interface all-propertiestmsh modify net interface &lt;interface_name&gt; mtu &lt;mtu_value&gt;&nbsp; -- Adjust the MTU settings if necessaryUpdate Routing Tabletmsh list net routetmsh modify net route &lt;route_name&gt; gw &lt;gateway_ip&gt;Adjust TCP MSS:tmsh modify sys db tcp.mss value 1460On Fortinet:config system interfaceedit &lt;interface_name&gt;set tcp-mss &lt;mss_value&gt;nextend&nbsp;Review Relevant Articles:&nbsp;https://my.f5.com/manage/s/article/K000138230&nbsp;https://my.f5.com/manage/s/article/K13948&nbsp;&nbsp;

abed_al-r · Answer

Thanks for the reply, but those articles I already read them, and mentioned them in the articlePMTUD is already enabled:root@(f5-r10600-abc)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys db tm.pathmtudiscoverysys db tm.pathmtudiscovery {&nbsp; &nbsp; value "enable"}Routing table is not static to change things there, it is a compination of BGP and OSPF, with redistribution between themRouting table is stable and works fine for all other find of traffic, only for this kind of trafic (ICMP frag needed) is being ignored, or at least this is what it seems likeSo routing table should be modified if everyhting is working fine, but only thisRegarding adjusting the tcp-mss, we thought about it, but this is enterprise network, we afraid to modify this, and maybe corrupt many other things&nbsp;

vishnugatla · Answer

Since PMTUD is already enabled and the routing table is correctly configured via dynamic routing protocols (BGP and OSPF), the problem might lie elsewhere. You could start by verifying the settings related to how the F5 LTM handles ICMP error messages using the tmsh show sys icmp-errors command to ensure that the system is not set to drop or mishandle ICMP Type 3, Code 4 messages. Creating specific rules or profiles to handle ICMP traffic, such as using an iRule or modifying the virtual server settings, might help ensure that ICMP messages are properly processed. Although adjusting the TCP MSS might seem risky in an enterprise environment, performing a controlled test during a maintenance window could be a viable option. Alternatively, ensure that the MTU settings on both the firewall and the F5 LTM are correctly configured and consistent. Increasing the debug level for ICMP and PMTUD-related logs temporarily could provide more detailed information to pinpoint why the ICMP messages are being looped. Reviewing the virtual server and pool configurations to ensure proper handling of ICMP traffic and considering a temporary static route for the specific problematic traffic could also help in isolating the issue. While waiting for the upgrade, check for any hotfixes or patches available for your current version (15.1.9.1) that address this specific issue.&nbsp;Refer below Article:https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/relnote-supplement-bigip-15-1-9-1.html&nbsp;

abed_al-r · Answer

Thank you. As much as I appreciate your try to help, and indeed I do, but this is not helping us to make a progress with this weird issue.The tmsh show sys icmp... is showing drops, not error, not loops, or what so ever. So this command does not helpThe TCP-MSS, is not about a maintinance window, because in this environment it would not help. It might fix one site, and corrupt others.Hence PMTUD is enabled, and hence there is no routing issue, and hence still there is a loop, and hence issue replicated by Fortinet TAC support without a n F5 LTM device and thre result was there is no issue, we would like to know what could be improved in LTM so this issue disappears.&nbsp;

zamroni777 · Answer

it seems the packet comes from fw to f5 with DF (dont fragment) bit flag enabled in IP header&nbsp;while f5 needs to fragment it before sending to client.the df bit might not set by fw but by node in front of fw.you can configure fortinet to respect/honor the df flag or not and see which one works in your network.config system global
    set honor-df enable/disable  &lt;- Enabled by default.&nbsp;

Forum Discussion

ICMP (Fragmentation needed) Between Firewall and LTM

6 Replies

SSO Login Update Coming to DevCentral

Kevin - June 2026 Featured F5er

Tyler - May 2026 Featured Member

Recent Discussions

ASM attack signatures not syncing between active and standby F5

Query on source IP preservation for syslog traffic through F5 virtual server

Hardware BIG-IP appliance reach EOSS, but the software version running on it not yet?

VPN Communication Error with F5 BIG-IP Edge Client

simultaneous disabling / enabling of all LTM objects

Related Content

F5 AFM/Edge Firewall and the difference between Edge Firewalls and Next-generation Firewalls (NGFW)

Introduction to F5 BIG-IP Advanced Firewall Manager (AFM)

Microservices – application fragments need application services

BIG-IP Next Edge Firewall CNF for Edge workloads

F5 Distributed Cloud – Why You Should Never Block Regional Edge IPs on Your Firewall

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS