Pix & large ping packets|
|
|
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||||||||||||||
|
Posted by Christoph Gartmann on May 3, 2007, 9:58 am
Please log in for more thread options
the largest ping packet that is able to go through our PIX515 (software version 7.2(2)) is 992 bytes. Larger packets are dropped. MTU size is 1500 and we have a statement "sysopt connection tcpmss 1460". What is necessary to increase the possible packet size for a ping? Regards, Christoph Gartmann -- Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452 Immunbiologie Postfach 1169 Internet: gartmann@immunbio dot mpg dot de D-79011 Freiburg, Germany http://www.immunbio.mpg.de/home/menue.html | ||||||||||||||||||||||
|
Posted by Walter Roberson on May 3, 2007, 8:35 pm
Please log in for more thread options The 1000 byte icmp packet limitation was introduced in 6.3, which offered no way to adjust the maximum. Are you getting IDS 2151 (message 400024) generated, "Large ICMP" ? The documentation for that indicates the limit is 1024 bytes including IP headers. You could -try- disabling inspect icmp, but I don't know if that will work. I've searched through the 7.2 command reference, but do not see any adjustment method documented. | ||||||||||||||||||||||
|
Posted by Christoph Gartmann on May 4, 2007, 3:20 am
Please log in for more thread options Roberson) writes:
>>the largest ping packet that is able to go through our PIX515 (software
>>version 7.2(2)) is 992 bytes. Larger packets are dropped. MTU size is 1500 >>and we have a statement "sysopt connection tcpmss 1460". What is necessary >>to increase the possible packet size for a ping? >
>The 1000 byte icmp packet limitation was introduced in 6.3, which >offered no way to adjust the maximum. Ah, I see. >Are you getting IDS 2151 (message 400024) generated, "Large ICMP" ?
>The documentation for that indicates the limit is 1024 bytes including >IP headers. I didn't look further into it. I simply realized the limit of 992 bytes. >You could -try- disabling inspect icmp, but I don't know if
>that will work. It doesn't :-( Regards, Christoph Gartmann -- Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452 Immunbiologie Postfach 1169 Internet: gartmann@immunbio dot mpg dot de D-79011 Freiburg, Germany http://www.immunbio.mpg.de/home/menue.html | ||||||||||||||||||||||
|
Posted by Sam Wilson on May 4, 2007, 4:57 am
Please log in for more thread options roberson@hushmail.com (Walter Roberson) wrote:
> >the largest ping packet that is able to go through our PIX515 (software
> >version 7.2(2)) is 992 bytes. Larger packets are dropped. MTU size is 1500 > >and we have a statement "sysopt connection tcpmss 1460". What is necessary > >to increase the possible packet size for a ping? >
> The 1000 byte icmp packet limitation was introduced in 6.3, which > offered no way to adjust the maximum. FWSM 3.1(3) seems to OK - my colleague has just verified that we can get 7.5K pings to a host through ours, though 9K doesn't work. We don't know if that's a feature of the host we're testing rather than the FWSM. Sam | ||||||||||||||||||||||
|
Posted by Christoph Gartmann on May 4, 2007, 9:32 am
Please log in for more thread options > roberson@hushmail.com (Walter Roberson) wrote:
> >> >the largest ping packet that is able to go through our PIX515 (software
>> >version 7.2(2)) is 992 bytes. Larger packets are dropped. MTU size is 1500 >> >and we have a statement "sysopt connection tcpmss 1460". What is necessary >> >to increase the possible packet size for a ping? >>
>> The 1000 byte icmp packet limitation was introduced in 6.3, which >> offered no way to adjust the maximum. >
>FWSM 3.1(3) seems to OK - my colleague has just verified that we can get >7.5K pings to a host through ours, though 9K doesn't work. We don't >know if that's a feature of the host we're testing rather than the FWSM. Now I found the following command: ip audit signature 2151 disable This command is available in software version 7.x. Now the limit is at 1472 bytes. Now the question is where this one comes from ... Regards, Christoph Gartmann -- Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452 Immunbiologie Postfach 1169 Internet: gartmann@immunbio dot mpg dot de D-79011 Freiburg, Germany http://www.immunbio.mpg.de/home/menue.html | ||||||||||||||||||||||
|
Home Cabling GuideFinally, an instantly downloadable book that saves you thousands in home improvement dollars! Enjoy living in 21st century technology-advanced home while increasing its selling value and competitive advantage on the real estate market. Whether your cabling is for home office or high-tech leisure, you can wire your home yourself or learn "wirish" to speak with your cabling contractors in their language! Learn More |
>version 7.2(2)) is 992 bytes. Larger packets are dropped. MTU size is 1500
>and we have a statement "sysopt connection tcpmss 1460". What is necessary
>to increase the possible packet size for a ping?