Forum Discussion
Abed_AL-R
Cirrostratus
CirrostratusICMP (Fragmentation needed) Between Firewall and LTM
We have been working for a while with Fortinet about an issue between the firewall and the LTM (r10600 with tenant 15.1.9.1), this issue is causing a loop with some ICMP packets.
The flow goes like this:
internet (ISP) --- firewall --- LTM --- customer network (client)
So yes, the LTM is in the middle between the client and the firewall
So to be much clear, the client is sufing the internet through the LTM up ot the firewall, and then traffic sent to ISP.
The issue:
When client tries to reach the internet, for some packets, we noticed a packets with fragmentation issue.
Packets captured with "ICMP Frag Needed" on the firewall which has been sent to the LTM, for some reason the LTM is sending it back to the firewall, causing a loop.
According to F5 the routing table, the next hop for 10.0.0.0/9 is the client, but it does not check the routing table for those kind of packets "ICMP Frag Needed"
In F5 we see a lot of "need to frag" ICMP messages:
[root@f5-r10600-abc:Active:Standalone] config # tcpdump -i Internet 'icmp[0] = 3' | grep "need to frag"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on Internet, link-type EN10MB (Ethernet), capture size 65535 bytes
14:15:25.497395 IP 72.246.151.107 > 10.76.174.197: ICMP 72.246.151.107 unreachable - need to frag (mtu 1448), length 556 in slot1/tmm0 lis=
14:15:25.497399 IP 72.246.151.107 > 10.76.174.197: ICMP 72.246.151.107 unreachable - need to frag (mtu 1448), length 556 in slot1/tmm0 lis=
14:15:25.498314 IP 72.246.151.171 > 10.51.131.240: ICMP 72.246.151.171 unreachable - need to frag (mtu 1448), length 556 in slot1/tmm0 lis=
We are concerned that the F5 is not behaving accordingly to this kind of ICMP traffic.
We read some articles about PMTUD while not being sure if this is the issue:
https://my.f5.com/manage/s/article/K000138230
https://my.f5.com/manage/s/article/K13948
We tried the TAC support but we have 15.1.9.1 and it is EOS two weeks ago
an upgrade will be done but only next month, and I don't this will be solved by an upgrade.
Has anyone faced this issue?
Thanks
- zamroni777
MVP
it seems the packet comes from fw to f5 with DF (dont fragment) bit flag enabled in IP header while f5 needs to fragment it before sending to client.
the df bit might not set by fw but by node in front of fw.you can configure fortinet to respect/honor the df flag or not and see which one works in your network.
config system global set honor-df enable/disable <- Enabled by default.
Abed_AL-RThank you.
The honor-df is indeed set to enable. I tried if disabling it help, but it did not.
f51Cirrocumulus
Since PMTUD is already enabled and the routing table is correctly configured via dynamic routing protocols (BGP and OSPF), the problem might lie elsewhere. You could start by verifying the settings related to how the F5 LTM handles ICMP error messages using the tmsh show sys icmp-errors command to ensure that the system is not set to drop or mishandle ICMP Type 3, Code 4 messages. Creating specific rules or profiles to handle ICMP traffic, such as using an iRule or modifying the virtual server settings, might help ensure that ICMP messages are properly processed. Although adjusting the TCP MSS might seem risky in an enterprise environment, performing a controlled test during a maintenance window could be a viable option. Alternatively, ensure that the MTU settings on both the firewall and the F5 LTM are correctly configured and consistent. Increasing the debug level for ICMP and PMTUD-related logs temporarily could provide more detailed information to pinpoint why the ICMP messages are being looped. Reviewing the virtual server and pool configurations to ensure proper handling of ICMP traffic and considering a temporary static route for the specific problematic traffic could also help in isolating the issue. While waiting for the upgrade, check for any hotfixes or patches available for your current version (15.1.9.1) that address this specific issue.
Refer below Article:
https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/relnote-supplement-bigip-15-1-9-1.html- Abed_AL-R
Thank you. As much as I appreciate your try to help, and indeed I do, but this is not helping us to make a progress with this weird issue.
The tmsh show sys icmp... is showing drops, not error, not loops, or what so ever. So this command does not help
The TCP-MSS, is not about a maintinance window, because in this environment it would not help. It might fix one site, and corrupt others.
Hence PMTUD is enabled, and hence there is no routing issue, and hence still there is a loop, and hence issue replicated by Fortinet TAC support without a n F5 LTM device and thre result was there is no issue, we would like to know what could be improved in LTM so this issue disappears.
- f51
Hello Abed
The issue you're experiencing with ICMP "Fragmentation Needed" messages causing a loop between your Fortinet firewall and the F5 LTM is indeed a challenging one but not uncommon in complex network setups. The problem appears to be related to Path MTU Discovery (PMTUD) and how the F5 LTM handles ICMP "Fragmentation Needed" messages.
Path MTU Discovery (PMTUD) is a mechanism used to determine the maximum transmission unit (MTU) size on the path between two IP hosts, ensuring that IP packets are transmitted without the need for fragmentation. When a packet exceeds the MTU size, an ICMP "Fragmentation Needed" message is sent back to the sender, indicating that the packet needs to be fragmented or resized to fit the MTU.
In your case, it seems that the F5 LTM is not properly handling these ICMP messages and is instead sending them back to the firewall, causing a loop. This can happen if the LTM's routing table or PMTUD configuration is not properly set up to handle these messages.
Enable PMTUD on F5 LTM
tmsh modify sys db tm.pmtud.enable value true
Check and Adjust MTU Settings
tmsh list net interface all-properties
tmsh modify net interface <interface_name> mtu <mtu_value> -- Adjust the MTU settings if necessary
Update Routing Table
tmsh list net route
tmsh modify net route <route_name> gw <gateway_ip>Adjust TCP MSS:
tmsh modify sys db tcp.mss value 1460
On Fortinet:
config system interface
edit <interface_name>
set tcp-mss <mss_value>
next
endReview Relevant Articles:
https://my.f5.com/manage/s/article/K000138230
https://my.f5.com/manage/s/article/K13948
- Abed_AL-R
Thanks for the reply, but those articles I already read them, and mentioned them in the article
PMTUD is already enabled:
root@(f5-r10600-abc)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys db tm.pathmtudiscovery
sys db tm.pathmtudiscovery {
value "enable"
}Routing table is not static to change things there, it is a compination of BGP and OSPF, with redistribution between them
Routing table is stable and works fine for all other find of traffic, only for this kind of trafic (ICMP frag needed) is being ignored, or at least this is what it seems like
So routing table should be modified if everyhting is working fine, but only thisRegarding adjusting the tcp-mss, we thought about it, but this is enterprise network, we afraid to modify this, and maybe corrupt many other things
