(Message mtu:4) Date: Mon, 01 Dec 1997 12:32:34 GMT From: hank@interall.co.il (Hank Nussbacher) Newsgroups: comp.dcom.sys.cisco Subject: Re: Cannot reach sites with MTU<1500 X-Return-Path: dhesi@rahul.net X-Nojunk-Status: OK 0 Organization: Hank Nussbacher, consulting References: <880958743.6326@news.Colorado.EDU> <65ttqn$37e$1@samba.rahul.net> Nntp-Posting-Host: docking.interall.co.il X-Newsreader: News Xpress 2.01 Xref: samba.rahul.net comp.dcom.sys.cisco:41066 In article <65ttqn$37e$1@samba.rahul.net>, c.c.eiftj@65.usenet.us.com (Rahul Dhesi) wrote: >In <880958743.6326@news.Colorado.EDU> Franck Martin > writes: > >[ dial-up PPP, MTU 576, can't reach some web sites ] > >>I set the MTU to 1500 and everything went fine. Please note that I did >>it at the same time as my ISP did it. > >>I wrote to the webmaster of these sites, and so far only one answered me >>letting me know that they use a cisco local redirector. > >I have observed similar problems. The problematic web site always seem >to be high-volume sites. And in my case too, one web site replied >saying it was using the Cisco local director. My workaround was to ask >users to go through a proxy server on the local network. > >I don't fully understand the problem. I tried tracing TCP/IP traffic >and found that the offending web sites were sending a packet with the DF >(don't fragment) bit set. It might be the case that the Cisco local >director is trying to do MTU discovery and something is failing. The problem has to do with sites running NT servers only. If your MTU is smaller than the MTU of the NT server, your router attempted to fragment the packet, but the NT server had set the packet to "don't fragment" (for efficiency and stupid reasons). So your router would discard the packet and send an ICMP packet to the NT server. But since they run with perhaps a firewall that discards ICMP packets (due to security reasons - since NT has large holes regarding ICMP and many sites now filter out ICMP at the router or firewall), they never saw the rejections (ICMP type=3 packet - destination unreachable - code 4: fragmentation needed but don't fragment bit set). The solution: contact all NT sites in the world and tell them to allow ICMP type=3 packets at their router or firewall and/or allow fragmentation on their NT server. Chance of success: 0% Alternate solution: modify your MTU to 1500 and make sure all MTUs along the way are 1500 or greater. I hit this in August with my FR MTU for customers set to 1496. Yet another fine product from Microsoft. Hank