Allowing Path MTU discovery

Frequently Asked Questions
Posts: 696
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Allowing Path MTU discovery

Post by Peter » 01 Nov 2010, 17:36

This FAQ applies to:
  • Clavister Security Gateway 8.x and 9.x.

I want to allow “Path MTU discovery” thru the Clavister SGW, how can i accomplish this?

Functionality explanation:

Path MTU Discovery is a standardized technique in computer networking for determining the maximum transmission unit (MTU) size on the network path between two Internet Protocol (IP) hosts, usually with the goal of avoiding IP fragmentation.

Path MTU Discovery works by setting the Don't Fragment (DF) option bit in the IP headers of outgoing packets. Then, any device along the path whose MTU is smaller than the packet will drop it, and send back an Internet Control Message Protocol (ICMP) Fragmentation Needed message containing its MTU, allowing the source host to reduce its Path MTU appropriately. The process repeats until the MTU is small enough to traverse the entire path without fragmentation.

Reason why it does not work by default:

As the Clavister SGW is a network security product we want to avoid letting traceroute, ping, or any of the other ICMP messages into and through a network from the Internet as this is an invitation for network mapping, and could lead to an attack. So it should be avoided as much as possible.


In the Clavister SGW there are two settings that need to be taken into account in order to allow Path MTU discovery.

1. “StrifDFOnSmall” in 8.xx and “Strip DontFragment” in 9.xx

This setting can be found in the Advanced Settings->IP in 8.xx and System->Advanced Settings->IP in 9.xx. Per default this setting is configured to be 65535 which means that we remove the “Don’t Fragment” flag from all packets. In order to allow Path MTU discovery this setting needs to be set to a reasonable value where we want to strip the DF flag, i.e lower than 750.

2. “Pass returned ICMP error messages from destination” (both 8.xx and 9.xx)

This setting can be found on all Services (“Local Objects->Services” in 8.xx and “Objects->Services” in 9.xx). This setting needs to be enabled for all services that want/need to use Path MTU discovery.