Prev: STANDBY-3-DUPADDR
Next: Cisco VPN Client w/ Certificate Authentication
From: Christoph Gartmann on 3 May 2007 09:58
Hello,

the largest ping packet that is able to go through our PIX515 (software
version 7.2(2)) is 992 bytes. Larger packets are dropped. MTU size is 1500
and we have a statement "sysopt connection tcpmss 1460". What is necessary
to increase the possible packet size for a ping?

Regards,
Christoph Gartmann

--
Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
Immunbiologie
Postfach 1169 Internet: gartmann(a)immunbio dot mpg dot de
D-79011 Freiburg, Germany
http://www.immunbio.mpg.de/home/menue.html
From: Walter Roberson on 3 May 2007 20:35
In article <f1cppj$qm1$1(a)news.BelWue.DE>,
Christoph Gartmann <gartmann(a)nonsense.immunbio.mpg.de> wrote:
>the largest ping packet that is able to go through our PIX515 (software
>version 7.2(2)) is 992 bytes. Larger packets are dropped. MTU size is 1500
>and we have a statement "sysopt connection tcpmss 1460". What is necessary
>to increase the possible packet size for a ping?

The 1000 byte icmp packet limitation was introduced in 6.3, which
offered no way to adjust the maximum.

Are you getting IDS 2151 (message 400024) generated, "Large ICMP" ?
The documentation for that indicates the limit is 1024 bytes including
IP headers.

You could -try- disabling inspect icmp, but I don't know if
that will work.

I've searched through the 7.2 command reference, but do not see
any adjustment method documented.
From: Christoph Gartmann on 4 May 2007 03:20
In article <vdv_h.158196$aG1.38535(a)pd7urf3no>, roberson(a)hushmail.com (Walter Roberson) writes:
>In article <f1cppj$qm1$1(a)news.BelWue.DE>,
>Christoph Gartmann <gartmann(a)nonsense.immunbio.mpg.de> wrote:
>>the largest ping packet that is able to go through our PIX515 (software
>>version 7.2(2)) is 992 bytes. Larger packets are dropped. MTU size is 1500
>>and we have a statement "sysopt connection tcpmss 1460". What is necessary
>>to increase the possible packet size for a ping?
>
>The 1000 byte icmp packet limitation was introduced in 6.3, which
>offered no way to adjust the maximum.

Ah, I see.

>Are you getting IDS 2151 (message 400024) generated, "Large ICMP" ?
>The documentation for that indicates the limit is 1024 bytes including
>IP headers.

I didn't look further into it. I simply realized the limit of 992 bytes.

>You could -try- disabling inspect icmp, but I don't know if
>that will work.

It doesn't :-(

Regards,
Christoph Gartmann

--
Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
Immunbiologie
Postfach 1169 Internet: gartmann(a)immunbio dot mpg dot de
D-79011 Freiburg, Germany
http://www.immunbio.mpg.de/home/menue.html
From: Sam Wilson on 4 May 2007 04:57
In article <vdv_h.158196$aG1.38535(a)pd7urf3no>,
roberson(a)hushmail.com (Walter Roberson) wrote:

> In article <f1cppj$qm1$1(a)news.BelWue.DE>,
> Christoph Gartmann <gartmann(a)nonsense.immunbio.mpg.de> wrote:
> >the largest ping packet that is able to go through our PIX515 (software
> >version 7.2(2)) is 992 bytes. Larger packets are dropped. MTU size is 1500
> >and we have a statement "sysopt connection tcpmss 1460". What is necessary
> >to increase the possible packet size for a ping?
>
> The 1000 byte icmp packet limitation was introduced in 6.3, which
> offered no way to adjust the maximum.

FWSM 3.1(3) seems to OK - my colleague has just verified that we can get
7.5K pings to a host through ours, though 9K doesn't work. We don't
know if that's a feature of the host we're testing rather than the FWSM.

Sam
From: Christoph Gartmann on 4 May 2007 09:32
In article <Sam.Wilson-83D595.09573804052007(a)scotsman.ed.ac.uk>, Sam Wilson <Sam.Wilson(a)ed.ac.uk> writes:
>In article <vdv_h.158196$aG1.38535(a)pd7urf3no>,
> roberson(a)hushmail.com (Walter Roberson) wrote:
>
>> In article <f1cppj$qm1$1(a)news.BelWue.DE>,
>> Christoph Gartmann <gartmann(a)nonsense.immunbio.mpg.de> wrote:
>> >the largest ping packet that is able to go through our PIX515 (software
>> >version 7.2(2)) is 992 bytes. Larger packets are dropped. MTU size is 1500
>> >and we have a statement "sysopt connection tcpmss 1460". What is necessary
>> >to increase the possible packet size for a ping?
>>
>> The 1000 byte icmp packet limitation was introduced in 6.3, which
>> offered no way to adjust the maximum.
>
>FWSM 3.1(3) seems to OK - my colleague has just verified that we can get
>7.5K pings to a host through ours, though 9K doesn't work. We don't
>know if that's a feature of the host we're testing rather than the FWSM.

Now I found the following command:
ip audit signature 2151 disable
This command is available in software version 7.x. Now the limit is at 1472
bytes. Now the question is where this one comes from ...

Regards,
Christoph Gartmann

--
Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
Immunbiologie
Postfach 1169 Internet: gartmann(a)immunbio dot mpg dot de
D-79011 Freiburg, Germany
http://www.immunbio.mpg.de/home/menue.html
 | 
Pages: 1
Prev: STANDBY-3-DUPADDR
Next: Cisco VPN Client w/ Certificate Authentication