- Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathdisabling-ip-unreachables-breaks-pmtud.html
15 lines (13 loc) · 2.25 KB
/
disabling-ip-unreachables-breaks-pmtud.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
---
url: /2012/10/disabling-ip-unreachables-breaks-pmtud/
title: "Disabling IP unreachables breaks pMTUd"
date: "2012-10-09T06:41:00.000+02:00"
tags: [ IP routing ]
---
<p>A while ago someone sent me an interesting problem: the moment he enabled simple MPLS in his enterprise network with <strong>ip mpls </strong>interface configuration commands, numerous web applications stopped working. My first thought was “MTU problems” (the usual culprit), but path MTU discovery should have taken care of that.<!--more--></p>
<p>As it turned out, reduced MTU caused by the MPLS header was the problem, but the usual suspect (a sloppily-configured firewall) was not to blame. Following (possibly outdated) best practices found on the Internet someone configured <strong>no ip unreachables </strong>on most router interfaces. <em>Fragmentation needed</em><em></em>ICMP packets were considered to belong to the same bunch and thus the edge routers quietly dropped the packets they could not send into the MPLS core.</p>
<divclass="separator" style="clear: both; text-align: center;"><ahref="/2012/10/s1600-TurnOffIPUnreachables.gif" imageanchor="1" style="margin-left:1em; margin-right:1em"><imgborder="0" height="236" src="/2012/10/s400-TurnOffIPUnreachables.gif" width="400"/></a></div>
<h4>Tangential notes</h4><ulclass="ListParagraph"><li>You’ll find more information on Path MTU Discovery in my <ahref="/2008/01/never-ending-story-of-ip-fragmentation/">IP Corner article</a>.</li>
<li>The web servers should have discovered that the path MTU discovery (pMTUd) had been broken, but obviously the operating system they were using didn’t support <ahref="http://tools.ietf.org/html/rfc4821">RFC 4821</a> (Packetization Layer Path MTU Discovery).</li>
<li>One of the reasons one might have had to disable IP unreachables in the past was to protect the router’s control plane. ICMP packets are usually generated by the router’s CPU; before <ahref="http://www.cisco.com/en/US/docs/ios/12_4t/12_4t2/hticmpun.html">you could rate-limit</a> them it’s been quite easy to overwhelm a router with packets triggering ICMP replies. With the <strong>ip icmp rate-limit unreachables </strong>command you can set different limits for <em>fragmentation needed </em>packets and other unreachables.</li>
</ul>
