[ale] SSH Cisco Networking Issue

Michael H. Warfield mhw at WittsEnd.com
Wed Sep 29 09:13:45 EDT 2010 

On Tue, 2010-09-28 at 08:51 -0600, Michael Hirsch wrote: 
> On Tue, Sep 28, 2010 at 6:32 AM, Michael H. Warfield <mhw at wittsend.com> wrote:
> > On Tue, 2010-09-28 at 05:30 -0400, Paul Cartwright wrote:
> >> On Mon September 27 2010, Michael H. Warfield wrote:
> >> > You MIGHT try "ping -M do -s 1500 host" and see if it breaks.  The "-M
> >> > do" says do prohibit fragmentation (don't ask - I don't know why it's
> >> > that way) and the -s 1500 sets the packet size.  Back it down till it
> >> > works.  If it does, you have your smoking gun.  Still, I'm not sure I
> >> > can guarantee the test.
> >
> >> so, I am an atnex.net customer, and I tried that with this line:
> >> ping -M do -s 1460 atnex.net
> >> PING atnex.net (208.65.89.2) 1460(1488) bytes of data.
> >> 1468 bytes from www.atnex.net (208.65.89.2): icmp_seq=1 ttl=124 time=51.4 ms
> >> 1468 bytes from autodiscover.atnex.net (208.65.89.2): icmp_seq=2 ttl=124
> >> time=50.5 ms
> >> <SNIP>
> >
> >> --- atnex.net ping statistics ---
> >> 7 packets transmitted, 7 received, 0% packet loss, time 6022ms
> >> rtt min/avg/max/mdev = 50.198/50.853/51.470/0.446 ms
> >
> >> with anything higher I got this:
> >> From paulandcilla.homelinux.org (192.168.10.2) icmp_seq=2 Frag needed and DF
> >> set (mtu = 1492)
> >> ^Cndcilla.homelinux.org (192.168.10.2) icmp_seq=2 Frag needed and DF set (mtu
> >> = 1492)
> >
> >> --- atnex.net ping statistics ---
> >> 1 packets transmitted, 0 received, +3908 errors, 100% packet loss, time 2459ms
> >
> >> so should I set my router to 1460? I had always used 1492, but I really can't
> >> remember why!
> >
> > 1) That -s is the payload size.  Don't forget the size of the smtp
> > header in there.  I really shouldn't have written -s 1500 but I was
> > typing fast and wasn't thinking.
> >
> > 2) You are getting "Frag needed and DF set" so PMTU discovery should
> > work properly and you don't need to artificially reduce your MTU
> > anyways.
> >
> > The time you would need to fine tune the MTU is if you were getting
> > timeouts.  Both the cases you described above, everything is working
> > fine.  Leave it alone.

> Okay, this is interesting.  Thanks for pointing out the "-M do" Mike.
> I didn't know about that one.

> When I use a full size packet (man page says 8 bytes for ICMP header):
> $ ping -c 2 -M do -s 1492 sfmigex1.migcoverity.net
> PING sfmigex1.migcoverity.net (10.22.0.15) 1492(1520) bytes of data.
> From iforaker-z800 (192.168.22.46) icmp_seq=1 Frag needed and DF set
> (mtu = 1500)
> From iforaker-z800 (192.168.22.46) icmp_seq=1 Frag needed and DF set
> (mtu = 1500)

Ok...  So, you've got a link with a lower MTU at 192.168.22.46 with a
working PMTU discovery.

> --- sfmigex1.migcoverity.net ping statistics ---
> 0 packets transmitted, 0 received, +2 errors

> So, event though it didn't get through it looks like PMTU is working.
> But, if I step down until it works, I don't the the PMTU message just
> above that size:
> $ ping -c 2 -M do -s 1419 sfmigex1.migcoverity.net
> PING sfmigex1.migcoverity.net (10.22.0.15) 1419(1447) bytes of data.

> --- sfmigex1.migcoverity.net ping statistics ---
> 2 packets transmitted, 0 received, 100% packet loss, time 1007ms

Now, somewhere beyond 192.168.22.46 you've got a link with a still lower
MTU and PMTU discovery is broken.  This makes it  bit dicier.

> So with size 1419, there is no notice of packet size problem.  But
> with 1418 size:

> $ ping -c 2 -M do -s 1418 sfmigex1.migcoverity.net
> PING sfmigex1.migcoverity.net (10.22.0.15) 1418(1446) bytes of data.
> 1426 bytes from 10.22.0.15: icmp_seq=1 ttl=126 time=74.1 ms
> 1426 bytes from 10.22.0.15: icmp_seq=2 ttl=126 time=73.6 ms

> --- sfmigex1.migcoverity.net ping statistics ---
> 2 packets transmitted, 2 received, 0% packet loss, time 5140ms
> rtt min/avg/max/mdev = 73.679/73.936/74.194/0.374 ms


> Binary search yields packet size 1472 as the magic size.  size 1472
> times out, and 1473 notifies me that fragmentation is needed.

> How weird is that?

Par for da course.

> So now, what do I tell IT?

Next try traceroute with the --mtu option to tell you where the MTU's
are being reduced and were the traceroute is dying at.

> Michael

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20100929/35443019/attachment.bin

More information about the Ale mailing list