(Message mtu:6) Date: 01 Dec 1997 16:11:21 GMT From: Marc Slemko Newsgroups: comp.dcom.sys.cisco Subject: Re: Cannot reach sites with MTU<1500 X-Return-Path: dhesi@rahul.net X-Nojunk-Status: OK 0 Organization: WorldGate Inc. http://www.worldgate.com/ References: <880958743.6326@news.Colorado.EDU> <65ttqn$37e$1@samba.rahul.net> <65uar9$m94$1@news.ibm.net.il> Nntp-Posting-Host: valis.worldgate.com Xref: samba.rahul.net comp.dcom.sys.cisco:41030 In <65uar9$m94$1@news.ibm.net.il> hank@interall.co.il (Hank Nussbacher) writes: >The problem has to do with sites running NT servers only. If your MTU is >smaller than the MTU of the NT server, your router attempted to fragment >the packet, but the NT server had set the packet to "don't fragment" >(for efficiency and stupid reasons). So your router would discard the >packet and send an ICMP packet to the NT server. But since they run with >perhaps a firewall that discards ICMP packets (due to security reasons - >since NT has large holes regarding ICMP and many sites now filter out >ICMP at the router or firewall), they never saw the rejections (ICMP >type=3 packet - destination unreachable - code 4: fragmentation needed >but don't fragment bit set). Is NT really that dumb? It should never attempt to send packets which would end up larger than the MSS you advertise. If you set a low MTU on your link, you will advertise a low MSS. That means the server should never ever try sending anything larger than the MSS you advertise. If this is what is happening, either you are advertising an incorrect MSS or NT is _really_ broken. If you have a MTU that is lower than what your MSS gives as a MTU between you and the server (ie. not directly on your link, but somewhere upstream) and ICMP can't frament messages can't get from there to the server, PMTU discovery will break with any implementation. What the original poster in this thread is talking about, however, is not this case. >Yet another fine product from Microsoft. Many boxes do PTMU discovery.