Reset Search
 

 

Article

Large ICMP packets are being dropped by EXOS platform even if DF bit is not set.

« Go Back

Information

 
TitleLarge ICMP packets are being dropped by EXOS platform even if DF bit is not set.
Symptoms
In simple topology large ICMP packets are being dropped by EXOS platform even if DF bit is not set.
Topology: host1(10.10.10.10) <-> [EXOS] <-> host2(10.10.10.20)
user:~ host2$ ping -c 3 -s 600 10.10.10.10
PING 10.10.10.10 (10.10.10.10): 600 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1

--- 10.10.10.10 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss

user:~ host2$ ping -c 3 -s 500 10.10.10.10
PING 10.10.10.10 (10.10.10.10): 500 data bytes
608 bytes from 10.10.10.10: icmp_seq=0 ttl=59 time=8.952 ms
608 bytes from 10.10.10.10: icmp_seq=1 ttl=59 time=7.846 ms
608 bytes from 10.10.10.10: icmp_seq=2 ttl=59 time=8.042 ms

--- 10.10.10.10 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 7.846/8.280/8.952/0.482 ms
Environment
  • EXOS 12.0 and newer
  • any EXOS platform with ip-security feature support
  • ICMP anomaly-protection feature
Cause
One of the possible reasons of such behaviour is ICMP anomaly protection feature enabled. This feature is disabled by default.
When ICMP anomaly protection is enabled, fragmented ICMP packets or ICMP packets with payload size greater than the maximum IPv4/IPv6 ICMP-allowed size are dropped. Anomaly protection performed in hardware on ingress prior to L2/L3 operations performed.
 
Resolution
To allow large ICMP packets forwarding it is needed to disable ICMP anomaly protection or adjust maximum allowed ICMP packet size:
To disable anomaly protection:
disable ip-security anomaly-protection icmp
To adjust maximum allowed ICMP packet size:
configure ip-security anomaly-protection icmp ipv4-max-size <8-1023>
configure ip-security anomaly-protection icmp ipv6-max-size <8-16283>

 
Additional notes

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255