Date: Sun, 9 Jan 2005 00:29:25 +0000 (GMT) From: Robert Watson <rwatson@freebsd.org> To: Jay Teutenberg <jay@advertisnet.com> Cc: freebsd-questions@freebsd.org Subject: Re: 5.x can ping 25152 bytes but not 25153 Message-ID: <Pine.NEB.3.96L.1050109002632.51282C-100000@fledge.watson.org> In-Reply-To: <005901c4f5c9$dc817600$a2a6b0d8@right>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 8 Jan 2005, Jay Teutenberg wrote: > We are up against an interesting problem. > > We have several FBSD servers, the ones that are 5.x do not seem to be > able to respond to pings larger than 25152, but 4.x kernels can. > > We are getting I/O errors from sendmail and want to make sure our > networking is ok. We have tried swapping cables, ports in the cisco cat > 2912, swapped 3com905's, no luck. > > Thanks all, my apologies if this is a bikeshed, I did my best to > research it. Found some postings in this group last year where someone > mentions this phenomena, but no fix or answer was offered. > http://lists.freebsd.org/pipermail/freebsd-questions/2004-April/044070.html This is probably due to resource limits on the maximum number of fragments that may be supported for an IP packet. You can take a look at the fragment limits using sysctl: net.inet.ip.maxfragpackets: 800 net.inet.ip.maxfragsperpacket: 16 If you increase maxfragsperpacket, you should be able to see FreeBSD clients and servers handle ICMP pings larger in size. These resources limits were put in place to address a widely observed denial of service attack involving the delivery of many small fragments to hosts in a form that prevents reassembly but consumes large amounts of memory and CPU. Let me know if tweaking the above doesn't help, though! Thanks, Robert N M Watson
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1050109002632.51282C-100000>