Re: ECMP, DF-bit and ICMP "Fragmentation needed"

> On 26 Feb 2023, at 12:07, Victor Gamov <vitspec@gmail.com> wrote:
> 
> Hi All
> 
> I have following scheme:
> - LAN segment 10.5.8.0/24 with router1 (10.5.8.1) and MTU=1500
> - two hosts at LAN segment host21 (10.5.8.21) and host22 (10.5.8.22)
> - host21 and host22 has VIP=172.16.110.30 configured as LAN-interface alias
> - host21 and host22 ha BGP peering with router1 and announce VIP to router1
> - hostX somewhere at intranet
> - ipsec-tunnel with MTU=1400
> 
> ECMP works fine and traffic from other segments to VIP is balanced between host21+host22 by router1.
> 
> The problem is:
> when host21 and/or host22 send large packet with DF-bit using VIP as source then ipsec-router sends ICMP "Fragmentation needed" and then this ICMP is _always_ sent to only host22 by router1.
> 
> I think it may be hard or impossible to find proper VIP-owner to send this ICMP.  Is it possible to propagate such ICMP to all VIP-owners in router1 routing-table? Or may some data from ICMP message be used to properly calculate ECMP-hash to find a real VIP-owner which must receive this ICMP?
Generally it’s pretty hard to do. The path may go through the multiple routers which has it own hash calculation + seed to avoid the traffic polarisation. Personally I’d suggest doing some sort of ICMP replication on either the source node or the hosts.
> 
> 
> Thanks!th
> 
> 
> -- 
> CU,
> Victor Gamov