[ale] SSH Cisco Networking Issue

Michael Hirsch mdhirsch at gmail.com
Tue Sep 28 10:51:26 EDT 2010


On Tue, Sep 28, 2010 at 6:32 AM, Michael H. Warfield <mhw at wittsend.com> wrote:
> On Tue, 2010-09-28 at 05:30 -0400, Paul Cartwright wrote:
>> On Mon September 27 2010, Michael H. Warfield wrote:
>> > You MIGHT try "ping -M do -s 1500 host" and see if it breaks.  The "-M
>> > do" says do prohibit fragmentation (don't ask - I don't know why it's
>> > that way) and the -s 1500 sets the packet size.  Back it down till it
>> > works.  If it does, you have your smoking gun.  Still, I'm not sure I
>> > can guarantee the test.
>
>> so, I am an atnex.net customer, and I tried that with this line:
>> ping -M do -s 1460 atnex.net
>> PING atnex.net (208.65.89.2) 1460(1488) bytes of data.
>> 1468 bytes from www.atnex.net (208.65.89.2): icmp_seq=1 ttl=124 time=51.4 ms
>> 1468 bytes from autodiscover.atnex.net (208.65.89.2): icmp_seq=2 ttl=124
>> time=50.5 ms
>> <SNIP>
>
>> --- atnex.net ping statistics ---
>> 7 packets transmitted, 7 received, 0% packet loss, time 6022ms
>> rtt min/avg/max/mdev = 50.198/50.853/51.470/0.446 ms
>
>> with anything higher I got this:
>> From paulandcilla.homelinux.org (192.168.10.2) icmp_seq=2 Frag needed and DF
>> set (mtu = 1492)
>> ^Cndcilla.homelinux.org (192.168.10.2) icmp_seq=2 Frag needed and DF set (mtu
>> = 1492)
>
>> --- atnex.net ping statistics ---
>> 1 packets transmitted, 0 received, +3908 errors, 100% packet loss, time 2459ms
>
>> so should I set my router to 1460? I had always used 1492, but I really can't
>> remember why!
>
> 1) That -s is the payload size.  Don't forget the size of the smtp
> header in there.  I really shouldn't have written -s 1500 but I was
> typing fast and wasn't thinking.
>
> 2) You are getting "Frag needed and DF set" so PMTU discovery should
> work properly and you don't need to artificially reduce your MTU
> anyways.
>
> The time you would need to fine tune the MTU is if you were getting
> timeouts.  Both the cases you described above, everything is working
> fine.  Leave it alone.

Okay, this is interesting.  Thanks for pointing out the "-M do" Mike.
I didn't know about that one.

When I use a full size packet (man page says 8 bytes for ICMP header):
$ ping -c 2 -M do -s 1492 sfmigex1.migcoverity.net
PING sfmigex1.migcoverity.net (10.22.0.15) 1492(1520) bytes of data.
>From iforaker-z800 (192.168.22.46) icmp_seq=1 Frag needed and DF set
(mtu = 1500)
>From iforaker-z800 (192.168.22.46) icmp_seq=1 Frag needed and DF set
(mtu = 1500)

--- sfmigex1.migcoverity.net ping statistics ---
0 packets transmitted, 0 received, +2 errors

So, event though it didn't get through it looks like PMTU is working.
But, if I step down until it works, I don't the the PMTU message just
above that size:
$ ping -c 2 -M do -s 1419 sfmigex1.migcoverity.net
PING sfmigex1.migcoverity.net (10.22.0.15) 1419(1447) bytes of data.

--- sfmigex1.migcoverity.net ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1007ms


So with size 1419, there is no notice of packet size problem.  But
with 1418 size:

$ ping -c 2 -M do -s 1418 sfmigex1.migcoverity.net
PING sfmigex1.migcoverity.net (10.22.0.15) 1418(1446) bytes of data.
1426 bytes from 10.22.0.15: icmp_seq=1 ttl=126 time=74.1 ms
1426 bytes from 10.22.0.15: icmp_seq=2 ttl=126 time=73.6 ms

--- sfmigex1.migcoverity.net ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 5140ms
rtt min/avg/max/mdev = 73.679/73.936/74.194/0.374 ms


Binary search yields packet size 1472 as the magic size.  size 1472
times out, and 1473 notifies me that fragmentation is needed.

How weird is that?

So now, what do I tell IT?

Michael



More information about the Ale mailing list