This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Colin_Campbell1
Contributor
‎2024-01-17 03:49 PM

PMTUD

Hi,

 

I have a few questions related to how CheckPoint gateways handle packets with the DF bit set.

Our gateways have MTU=1500 on all interfaces. All routers in the network have MTU=9216. When a router tries to establish multihop eBGP across the firewall, the connection is successful because all of the packets are < 1500 bytes. However, once the update messages which can be up to 3kB in size are sent, they are getting dropped somewhere in the network and the BGP session eventually drops out. The router packets all have the DF bit set.

So, my questions are:

1. What is the default behaviour of a CP Gateway (R81.10) when it receives a packet with DF set and packet size > its MTU? Does it silently drop the packet or send an ICMP destination unreachable, fragmentation required back to the source?

2. If the default is to drop it, can that be changed and if so how?

3. Is there any way I can see those large packets? I have tried tcpdump, cppcap and fw monitor all to no avail.

Thanks

'Colin

0 Kudos
1 Reply
Tobias_Moritz
Advisor
‎2024-01-19 07:07 AM

As far as I understand it 🙂 :

When we talk about 3kB IP packets with DF-bit set, we talk about jumbo frames, because that large IP packet is in one  large ethernet frame. You made sure, that the layer 2 infrastructure between the router sending that jumbo frame and the CP gateway which should receive it is capable of transporting that large frames, do you?

If the answer is no, then you have to fix that first. On layer 2, there is no possibility to inform the sender about the problem.

If the answer is yes, then the next thing is the configuration of the network interface on gateway side which receives this frame. If it is set to MTU 1500, then the ethernet frame is just invalid for the network stack and gets dropped. It never reaches a firewall worker or something higher level which would be able to generate a ICMP error message like you want. It will just increment the RX-DRP counter on netstat -ni. If the receiving interface of the CP gateway has MTU 9216 but the egress interface has not (only default 1500), then and only then the CP gateway can send an ICMP error message to get PMTU to work.

Thats the culprit of introducing jumbo frames in a network (tuning MTU above 1500), you have to make sure all components in that ethernet segment are supporting it including the connected router interfaces. Your CP gateway is just a router in that segment.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events