| 1 |
On Sunday 01 Sep 2013 14:59:19 Grant wrote: |
| 2 |
> >> Could ICMP packets not getting through be to blame for my proxy server |
| 3 |
> >> problem? My laptop can't seem to ping anyone (blocked at the firewall |
| 4 |
> >> in this hotel I suppose) and certainly the proxy server can't ping my |
| 5 |
> >> laptop. |
| 6 |
> > |
| 7 |
> > Not all ICMP packets are relevant to detecting the MTU of a node. A |
| 8 |
> > correctly implemented node will return an ICMP Fragmentation Needed |
| 9 |
> > (Type 3, Code 4) packet, with its MTU value. This kind of ICMP packets |
| 10 |
> > should not be blocked at firewalls. Use ping with the do not fragment |
| 11 |
> > option to see if packets above a certain size time out, i.e. they are |
| 12 |
> > dropped by some offending node on the way. |
| 13 |
> > |
| 14 |
> > ping -c 6 -n -M do -s 1472 <server_address> |
| 15 |
> |
| 16 |
> I get "Frag needed and DF set (mtu = 1492)" when pinging google.com. |
| 17 |
> I get normal replies with -s 1464. ifconfig shows my WAN interface at |
| 18 |
> MTU 1500 so PMTUD must change the MTU for communication with |
| 19 |
> google.com if I understand correctly. |
| 20 |
|
| 21 |
The hotel's router/modem may be using PPPoE to authenticate with their ISP, |
| 22 |
which has a larger header size and requires an MTU of 1492 (1464+28=1492) |
| 23 |
|
| 24 |
So, although your NIC is configured to the full ethernet MTU size, the router |
| 25 |
drops the size down to 1492 to be able to squeeze it out through the ISP's |
| 26 |
network. That's all good and proper and will not cause the timeout problem |
| 27 |
you have been experiencing. |
| 28 |
|
| 29 |
|
| 30 |
> > Of course, if the hotel's firewall is blocking all outgoing/incoming |
| 31 |
> > pings this sort of diagnostic test will not be useful. |
| 32 |
> |
| 33 |
> I actually only lose pings to my own remote system so I've started a |
| 34 |
> new thread about that. I tried down to -s 1 but still 100% packet |
| 35 |
> loss there. |
| 36 |
|
| 37 |
Have you checked that the firewall at your server is not set to drop all ICMP |
| 38 |
packets and that you don't have something like this set up on it: |
| 39 |
|
| 40 |
net.ipv4.icmp_echo_ignore_all = 0 |
| 41 |
|
| 42 |
(use sysctl to check) |
| 43 |
-- |
| 44 |
Regards, |
| 45 |
Mick |
Archives