This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
carl_t
Contributor
‎2022-05-06 04:56 AM

Fragmentation needed ICMP Type 3 Code 4

Hi Guys

We are having some issues with wifi calling over voip, we are seeing the below messages coming from the device in the drop logs

ICMP Fragmentation needed

ICMP Type 3

ICMP Code 4

Address spoofing

Anyone know how to fix this? I believe it could be related to accleration.

Cheers

Carl

0 Kudos
7 Replies
Chris_Atkinson
Employee Employee
Employee
‎2022-05-06 05:25 AM

Does the traffic traverse a VPN and have you checked for MTU issues? 

Meanwhile Anti-spoofing implies traffic is coming into an interface that the source address isn't expected from.

CCSM R77/R80/ELITE
0 Kudos
carl_t
Contributor
‎2022-05-06 06:03 AM
In response to Chris_Atkinson

Hi Chris

The interface it is coming in on is fine, It does not traverse a vpn, it is traffic just going out of the internet.

0 Kudos
carl_t
Contributor
‎2022-05-09 12:09 AM
In response to carl_t

Any ideas guys ?

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-05-09 12:25 AM
In response to carl_t

More information is likely required for us to be of much help here.

- Is there anything special about the internet connection used: Satellite / LTE / PPPoE ?

- Which version and jumbo hotfix is applied to the gateway?

- What is the Wireless network topology  with respect to both the firewall & client device.

 

Back in the day Wi-Fi environments utilizing CAPWAP or similar between an AP and WLC used to necessitate either the use of jumbo frames or adjust-mss in the intermediate network to address fragmentation issues.

CCSM R77/R80/ELITE
0 Kudos
carl_t
Contributor
‎2022-05-09 12:42 AM
In response to Chris_Atkinson

Hi

It is a normal 1G ethernet internet connection.

These are Meraki wifi controllers located at our main site where the internet connection is, the access points tunnel traffic back to them and it breaks out locally on the lan, then goes to the internet from there.

The Gateways are on R80.20 Take 47.

 

 

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2022-05-09 04:18 AM
In response to carl_t

if you can use a smal free program called TCPoptimizer you can try to find out what the end to end MTU setting is. It is always better to prevent fragmentation and when your internet connection is using pppoe it will take out 8 bytes of the standard packet size. Then you can setup MSS clamping to make sure this will be handled properly. (keep in mind MSS is 40 bytes lower than MTU)

Regards, Maarten
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-05-09 04:34 AM
In response to carl_t

R80.20 will be out of support in September, GA Jumbo is 205, Ongoing Jumbo is 211 - installed take 47 went GA on 25.3.2019...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    In-Person

    Tue 25 Mar 2025 @ 09:00 AM (EDT)

    Canada In-Person Cloud Security with Hands-On CloudGuard Workshops!
    In-Person

    Tue 25 Mar 2025 @ 12:00 PM (MDT)

    Salt Lake City: CPX 2025 Recap
    In-Person

    Tue 08 Apr 2025 @ 12:00 PM (MDT)

    Denver: CPX 2025 Recap
    CheckMates Events
    li.common.scroll-to.top