1 |
On Sunday 01 Sep 2013 14:59:19 Grant wrote: |
2 |
> >> Could ICMP packets not getting through be to blame for my proxy server |
3 |
> >> problem? My laptop can't seem to ping anyone (blocked at the firewall |
4 |
> >> in this hotel I suppose) and certainly the proxy server can't ping my |
5 |
> >> laptop. |
6 |
> > |
7 |
> > Not all ICMP packets are relevant to detecting the MTU of a node. A |
8 |
> > correctly implemented node will return an ICMP Fragmentation Needed |
9 |
> > (Type 3, Code 4) packet, with its MTU value. This kind of ICMP packets |
10 |
> > should not be blocked at firewalls. Use ping with the do not fragment |
11 |
> > option to see if packets above a certain size time out, i.e. they are |
12 |
> > dropped by some offending node on the way. |
13 |
> > |
14 |
> > ping -c 6 -n -M do -s 1472 <server_address> |
15 |
> |
16 |
> I get "Frag needed and DF set (mtu = 1492)" when pinging google.com. |
17 |
> I get normal replies with -s 1464. ifconfig shows my WAN interface at |
18 |
> MTU 1500 so PMTUD must change the MTU for communication with |
19 |
> google.com if I understand correctly. |
20 |
|
21 |
The hotel's router/modem may be using PPPoE to authenticate with their ISP, |
22 |
which has a larger header size and requires an MTU of 1492 (1464+28=1492) |
23 |
|
24 |
So, although your NIC is configured to the full ethernet MTU size, the router |
25 |
drops the size down to 1492 to be able to squeeze it out through the ISP's |
26 |
network. That's all good and proper and will not cause the timeout problem |
27 |
you have been experiencing. |
28 |
|
29 |
|
30 |
> > Of course, if the hotel's firewall is blocking all outgoing/incoming |
31 |
> > pings this sort of diagnostic test will not be useful. |
32 |
> |
33 |
> I actually only lose pings to my own remote system so I've started a |
34 |
> new thread about that. I tried down to -s 1 but still 100% packet |
35 |
> loss there. |
36 |
|
37 |
Have you checked that the firewall at your server is not set to drop all ICMP |
38 |
packets and that you don't have something like this set up on it: |
39 |
|
40 |
net.ipv4.icmp_echo_ignore_all = 0 |
41 |
|
42 |
(use sysctl to check) |
43 |
-- |
44 |
Regards, |
45 |
Mick |