![]() In conclusions, the ping failure is resulted from the incorrect DF bit of packets processed by the headquarters' server or intermediate network devices on the path from OP_DS and CO_CS to the headquarters' server.This is my first post and I am having trouble accessing the WebAdmin interface directly after installation. As a result, CO_CS receives packets with the incorrect DF bit. In actual applications, however, some devices forcibly fragment such received packets without changing the DF bit from 1 to 0. In the PMTU discovery mechanism, devices can respond with ICMP error packets when receiving packets that need to be fragmented but carry the DF bit 1. When the server receives such an ICMP error packet, it reduces the PMTU of the path until it does not receive any ICMP error packet. If some large packets cannot be fragmented and forwarded by some intermediate devices on the path, these devices will discard the packets and return an ICMP error packet, indicating that the packets need to be fragmented but the DF bit has been set to 1. In this PMTU discovery mechanism, the server specifies the PMTU of a path, sends packets that are shorter than the PMTU and use the DF bit 1 on this path. The headquarters' server sets the DF bit in its ICMP response to 1 in an effort to obtain the minimum MTU, also called path MTU (PMTU) of the return path. The following analyzes the cause of this problem. As a result, a ping failure occurs.ĬO_CS receives packets with incorrect fragment flag bits and so cannot obtain information about the headquarters' server and intermediate devices. When CO_CS finds that both the DF bit and MF bit of the received ICMP response are set to 1, it considers the ICMP response an invalid packet and discards the packet. ![]() Packets with the DF bit 1 can be sent to the hosts that cannot reassemble fragments. If the DF bit of a packet is set to 1 but the packet needs to be fragmented, this packet will be discarded. more fragments: The value 0 indicates that the fragment is the last fragment, while the value 1 indicates that there are other fragments in addition to this fragment.don't fragment: The value 0 indicates that a packet can be fragmented, while the value 1 indicates that a packet cannot be fragmented.Packet headers are obtained on the uplink port that connects CO_CS to WN_DS, as shown in Figure 13-12. OP_DS and CO_CS cannot ping the headquarters' server with large packets.In conclusions, the ping failure is resulted from packet mis-sequencing on the FW's Eth-Trunk interface. Subsequently, the OP server can ping the headquarters' server successfully with large packets. Three of four lines of the Eth-Trunk outbound interface on the FW are removed to change the Eth-Trunk into a single link so as to check whether the FW causes packet mis-sequencing. When the ICMP packet fragments arrive at WN_DS, WN_DS discards these fragments because NAT cannot process mis-sequenced fragments. When the OP server sends large packets to ping the headquarters' server, ICMP packet fragments are mis-sequenced after being processed by the FW connected to OP_DS in bypass mode. In this situation, fragmented packets are mis-sequenced. Packets sent from the FW to OP_DS are in reverse order: Each small ICMP request packet is placed before a large ICMP request packet. The obtained packet header information shows: Packets sent from OP_DS to the FW are sequenced: Each large ICMP request packet is placed before a small ICMP request packet. Figure 13-11 Obtained packet header information on the uplink port that connects OP_DS to the FW
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |