ICMP (Fragmentation needed) Between Firewall and LTM
We have been working for a while with Fortinet about an issue between the firewall and the LTM (r10600 with tenant 15.1.9.1), this issue is causing a loop with some ICMP packets. The flow goes like this: internet (ISP) --- firewall --- LTM --- customer network (client) So yes, the LTM is in the middle between the client and the firewall So to be much clear, the client is sufing the internet through the LTM up ot the firewall, and then traffic sent to ISP. The issue: When client tries to reach the internet, for some packets, we noticed a packets with fragmentation issue. Packets captured with "ICMP Frag Needed" on the firewall which has been sent to the LTM, for some reason the LTM is sending it back to the firewall, causing a loop. According to F5 the routing table, the next hop for 10.0.0.0/9 is the client, but it does not check the routing table for those kind of packets "ICMP Frag Needed" In F5 we see a lot of "need to frag" ICMP messages: [root@f5-r10600-abc:Active:Standalone] config # tcpdump -i Internet 'icmp[0] = 3' | grep "need to frag" tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on Internet, link-type EN10MB (Ethernet), capture size 65535 bytes 14:15:25.497395 IP 72.246.151.107 > 10.76.174.197: ICMP 72.246.151.107 unreachable - need to frag (mtu 1448), length 556 in slot1/tmm0 lis= 14:15:25.497399 IP 72.246.151.107 > 10.76.174.197: ICMP 72.246.151.107 unreachable - need to frag (mtu 1448), length 556 in slot1/tmm0 lis= 14:15:25.498314 IP 72.246.151.171 > 10.51.131.240: ICMP 72.246.151.171 unreachable - need to frag (mtu 1448), length 556 in slot1/tmm0 lis= We are concerned that the F5 is not behaving accordingly to this kind of ICMP traffic. We read some articles about PMTUD while not being sure if this is the issue: https://my.f5.com/manage/s/article/K000138230 https://my.f5.com/manage/s/article/K13948 We tried the TAC support but we have 15.1.9.1 and it is EOS two weeks ago an upgrade will be done but only next month, and I don't this will be solved by an upgrade. Has anyone faced this issue? Thanks