Juniper screening large ICMP packets

Sander Steffann sander at steffann.nl
Mon Aug 22 11:24:51 CEST 2011


Hi,

FYI:

Last week I found out the hard way that turning on Juniper screening of large ICMP messages (http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-swconfig-security/id-41418.html) breaks IPv6 path MTU discovery. The packet-too-big messages are being dropped on interfaces that have this 'feature' turned on. I noticed the same behavior on a SSG-140 (ScreenOS based) and on an SRX-240 (JunOS based) where the server was behind the firewall and the client was using a HE or SixXS tunnel.

One more thing to check when debugging broken pMTU...
Sander

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2084 bytes
Desc: not available
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20110822/a364be42/attachment.bin 


More information about the ipv6-ops mailing list