Broken PMTU Discovery - LTM not returning ICMP Type 3 Code 4

Question

Hello,&nbsp;
I have an issue where I can't ping an upstream router interface through f5 LTM. I've created specific IP virtual forwarding servers for inbound and outbound ICMP (IP protocol 1) and applied a FastL4 profile with "Reassemble IP Fragments" checked. I've tried to change the server type to a Performance (Layer 4), but still no luck.&nbsp;
I am running LACP on the ingress and egress interfaces. I've monkeyed with the VLAN MTUs. It appears that LTM is black-holing PMTUD. If I ping the upstream interface with a payload size of 1454, the ping's successful. A size of 1455 breaks. TCPDUMP on the inside and outside interface show no attempt to forward an ICMP Destination Unreachable to me, and the packet is never forwarded upstream.&nbsp;
I've also monkeyed with the various TMM options: &nbsp;
tmsh modify sys db tm.pathmtudiscovery value enable/disable&nbsp;
tmsh modify sys db tm.enforcepathmtu value enable/disable&nbsp;
tmsh modify sys db route.metrics.mtu value enable/disable&nbsp;
As for the route.metrics.mtu, I've tried modifying the individual route MTUs...no luck.&nbsp;
Anyone ever see this kind of behavior? I'm wondering if LACP is causing me some sort of issue - why a payload size max of 1454? I should not fragment up to 1472 bytes for payload: 1472 + 8 byte ICMP + 20 byte IP headers. There's an 18 byte difference, as if LTM is taking into account the 14 byte Ethernet header and the 4 byte .1Q tag? We're utilizing Ethernet II/ARPA framing, so there's no 4 byte CRC.&nbsp;
Any thoughts/ideas/suggestions would be appreciated!&nbsp;
-Jason&nbsp;

nikhilb · Answer

Does your forwarding virtual servers configured to allow all protocols? (not just TCP/UDP)&nbsp;
Can you ping any other IP's thru the forwarding VS?&nbsp;
Heres an SOL that is worth a read (but doesnt apply to you but handy to have)
https://support.f5.com/kb/en-us/solutions/public/3000/400/sol3475.html?sr=43514607&nbsp;

thi · Answer

I had a customer who had a bit similar problem. Which sw version you are running? Have a look on this bug solution if it applies to you. My customer was running old 10.2.4 and they have to reduce MTU size until upgrading to newer.&nbsp;
https://support.f5.com/kb/en-us/solutions/public/14000/500/sol14532.html?sr=43515503&nbsp;
SOL14532: TMM may incorrectly respond to client request with ICMP Fragmentation Needed (type 3 code 4) messages&nbsp;

jason_whiteake1 · Answer

Thanks, guys, for the responses. &nbsp;
To answer Q1 - yes, regular packet forwarding is a non-issue. I went through the extra step of creating ICMP virtual forwarders (locked to protocol number 1). I have default IP forwarders that listen for all protocols. &nbsp;
To answer Q2 - I'm running 11.4.1. I reviewed that SOL yesterday, and the odd part is that I actually never receive the Type 3 Code 4s that this bug mentions.&nbsp;
It smacks of a "simple" MTU issue, where payload sizes &lt;= 1454 work. Again, though, all VLAN MTUs are set to 1500.&nbsp;
As I was about to type my next statement about upstream switch interface MTU (they support jumbo frames), I'm now wondering if perhaps this could be an issue. Hmm. Running .1Q over an upstream interface that has an MTU of 9198 bytes. I'd expect TCP to deal with this when it sets up a connection (using its advertised MSS), but I believe ICMP would not be able to fragment if fragmentation was needed. The downstream and upstream user paths are all MTU 1500, and thus why 99.9% of my traffic flows are forwarded without issue.&nbsp;
Let me pursue this angle and I'll post back my findings. I welcome everyone's thoughts as well.&nbsp;

jesse_wahl_3952 · Answer

what version? do you have a support case open? it sounds a bit like * [Bug alias 486688 – Improving handling for network and/or wildcard port virtual with multiple HW syncookie learning.]&nbsp;
the workaround for this bug is to disable handware syn cookie protection in the fastl4 profile (and enable software syn cookie protection if desired)&nbsp;

jason_whiteake1 · Answer

Hi Jesse,&nbsp;
Thanks for the idea. We've already started our migration, so the problem application has been addressed. I wish I had been able to try this workaround before moving the app, though. :-)&nbsp;
I still have production traffic running through this LTM, so if I see any additional oddities, I'll give this a try. My fastl4 profiles do have hardware SYN cookie protection enabled.&nbsp;
Thanks again!&nbsp;
-Jason&nbsp;

Forum Discussion

Broken PMTU Discovery - LTM not returning ICMP Type 3 Code 4

6 Replies

Recent Discussions

health monitor source IP address

How to target only webview rendering with CSS?

ltm policy asm_auto_l7_policy

MAC address not showing up in LLDP packet

F5Access | MacOS Sonoma

Related Content

Out of the Shadows: API Discovery and Security

Service discovery and registration with BIG-IP

The return of DevCentral CodeShare.

OWASP Tactical Access Defense Series: Broken Authentication and BIG-IP APM

Service Discovery and authentication options for Kubernetes providers (EKS, AKS, GCP)