5.x can ping 25152 bytes but not 25153
Robert Watson
rwatson at freebsd.org
Sat Jan 8 16:33:17 PST 2005
On Sat, 8 Jan 2005, Jay Teutenberg wrote:
> We are up against an interesting problem.
>
> We have several FBSD servers, the ones that are 5.x do not seem to be
> able to respond to pings larger than 25152, but 4.x kernels can.
>
> We are getting I/O errors from sendmail and want to make sure our
> networking is ok. We have tried swapping cables, ports in the cisco cat
> 2912, swapped 3com905's, no luck.
>
> Thanks all, my apologies if this is a bikeshed, I did my best to
> research it. Found some postings in this group last year where someone
> mentions this phenomena, but no fix or answer was offered.
> http://lists.freebsd.org/pipermail/freebsd-questions/2004-April/044070.html
This is probably due to resource limits on the maximum number of fragments
that may be supported for an IP packet. You can take a look at the
fragment limits using sysctl:
net.inet.ip.maxfragpackets: 800
net.inet.ip.maxfragsperpacket: 16
If you increase maxfragsperpacket, you should be able to see FreeBSD
clients and servers handle ICMP pings larger in size. These resources
limits were put in place to address a widely observed denial of service
attack involving the delivery of many small fragments to hosts in a form
that prevents reassembly but consumes large amounts of memory and CPU.
Let me know if tweaking the above doesn't help, though!
Thanks,
Robert N M Watson
More information about the freebsd-questions
mailing list