ICMP type 3 (Destination Unreachable) code 4 (Fragmentation Needed and Don't Fragment was Set)
see link for further info: http://www.iana.org/assignments/icmp-parameters If a networking device receives a packet that is larger than the devices MTU and the packet has the don't fragment (DF) bit set to "on", then the networking device should respond with an ICMP type 3 code 4 telling the sender to decrease the packet size. This is PathMTU Most of the time a router or firewall would generate this traffic. Most of the time if this doesnt work its because a router is blocking it (with ACL or interface configured with no ip unreachables) or a firewall is blocking it (because firewall admin's are ignorant of PMTU) If you are doing NAT then the packet can't always make it back to the "original" sender to ask it to drop the packet size. If you are using VPN's then the effective mtu (made that up) is smaller than the sender believes. Mitchell -- http://www.securestandard.com/ Directory of Information Security White Papers >>> [EMAIL PROTECTED] 01/30/04 12:09PM >>> What ICMP codes? Who sends them? The client, the enforcement module, the host behind the enforcement module? Thanks for the help. -Aaron -----Original Message----- From: "Rodriguez Quintero, Juan Diego, SYNAPSIS Per�" [mailto:[EMAIL PROTECTED] Sent: Friday, January 30, 2004 10:06 AM To: [EMAIL PROTECTED] Subject: RE: [FW-1] MTU Path Discovery - Not working on NG-AI Have you checked your router...? you may be blocking some icmp codes there. -----Mensaje original----- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Enviado el: Viernes, 30 de Enero de 2004 11:53 a.m. Para: [EMAIL PROTECTED] Asunto: [FW-1] MTU Path Discovery - Not working on NG-AI We use R54 Build 132 clients, against a R54 gateway (no HFA's)/ IPSO 3.7 Build 23. I have read several threads where people say MTU should not be an issue with SecuRemote on NG-AI, yet we continually have users that have to run MTUAdjust, in order to connect to certain apps through the VPN. Could we be blocking something, so MTU Path Discovery cannot work properly? Just trying to kill one more mystery. Any help would be greatly appreciated. -Aaron ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= NOTICE: The contents of this email and any attachments to it may contain privileged and confidential information from BDO Seidman, LLP. This information is only for the viewing or use of the intended recipient. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of, or the taking of any action in reliance upon, the information contained in this e-mail, or any of the attachments to this e-mail, is strictly prohibited and that this e-mail and all of the attachments to this e-mail, if any, must be immediately returned to BDO Seidman, LLP or destroyed and, in either case, this e-mail and all attachments to this e-mail must be immediately deleted from your computer without making any copies thereof. If you have received this e-mail in error, please notify BDO Seidman, LLP by e-mail immediately. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
