Showing posts with label MTU. Show all posts
Showing posts with label MTU. Show all posts

Monday, July 27, 2015

Windows: find the MTU for a specific IP

The following command, give us the MTU for a specific destination:
U:\>netsh interface ipv4 show destinationcache address='IP_addresss'

  • Example on a classic LAN:

U:\>netsh interface ipv4 show destinationcache address=192.168.95.216
Destination              : 192.168.95.216
Next Hop Address         : 192.168.211.254
Source                   : 192.168.211.1
Interface                : Local Area Connection
Path MTU                 : 1500
Upper-layer MTU          : 1480
RTT mean                 : 3000
RTT deviation            : 0
Path transmit speed (Bps): 0
Path receive speed (Bps) : 0
Link transmit Speed (bps): 1000000000
Link receive Speed (bps) : 1000000000


  • Example with an IPsec Tunnel:


U:\>netsh interface ipv4 show destinationcache address=192.168.95.216
Destination              : 192.168.95.216
Next Hop Address         : 192.168.95.216
Source                   : 192.168.243.197
Interface                : Local Area Connection
Path MTU                 : 1400
Upper-layer MTU          : 1380
RTT mean                 : 40
RTT deviation            : 20
Path transmit speed (Bps): 0
Path receive speed (Bps) : 0
Link transmit Speed (bps): 2000000000
Link receive Speed (bps) : 2000000000

Tuesday, December 17, 2013

ICMP Fragmentation and Firewall

Following an installation of new firewalls, I was facing an issue of communication between a CMC (Central Management Console) and a Riverbed Steelhead.
In a normal way, the CMC open a SSH session to push rules to the Riverbed. But after the installation, it was not working anymore. I have investigated and found the root cause of this issue.

Packets between the CMC and the Riverbed are fragmented. Without firewalls, CMC and Riverbed use PMTU in order to discover the MTU small enough to traverse the entire path without fragmentation.
In a first step, Path MTU uses the option Don't Fragment (DF). When a packet is sent with this option, it cannot been fragmented. If a router with a smaller MTU receives this packet, it will drop it and send to the sender an ICMP Fragmentation Needed. This step is repeated until the source has reached the destination without fragmentation.

As you can see below, our problem come from this ICMP Fragmentation Needed packet.
When the steelhead sends a packet (with option Don't fragment) to the CMC, a router on the path sends a ICMP fragmentation Needed. However, the new firewall filters this packet and now the handshake failed.






Workaround:

  • Allow ICMP option on the firewall.
  • Reduce MTU on primary interface of the Riverbed.