Forum Discussion

MVP

Jul 17, 2012

F5 setting don't fragment bit

am running into a situation where it appears the F5 is setting the don't fragment bit of a packet that didn't have it set initially. what can be causing this? is there a way to turn this off?

config

design

Hamish

Cirrocumulus

Jul 17, 2012

Well... The BigIP is a proxy... So the packet that didn't have it set initially isn't actually the original packet... However I'd have expected that option to be part of the TCP profile. And I notice it isn't... Possibly because in IPv6 it isn't an option...

Do you have an explicit reason for allowing packets without DNF set? Fragmentation in the network isn't good. Most sensible firewalls will drop fragments by default (They're too good a vector for a DOS attack). I find path-mtu discovery to be a much better proposition (However it does require network and firewall admins who know what they're doing).

Forum Discussion

F5 setting don't fragment bit

Recent Discussions

redirect not working

cat and grep command for rst messages

iRule resulting in too many redirects

When F5OS r2800 appliance reboots, interfaces configured at tenant level for VLAN are lost

iControl for Gtm wideip

Related Content

Setting up BIG-IP with AWS CloudHSM

Setting up persistence in F5 XC

Set HTTP version

Setting up F5 Telemetry Streaming with Splunk Cloud

Virtual Fragmentation Should Not Result in Network Fragmentation