MTU/MRU problem with WAN interface (with VLAN)
Accepted Solution
-
Hi,Thanks again for your answer,I think we found what was the problem and in fact there was no problem with the MTU at all, that was bad track.I have noticed that all of our Zyxel routers doesn't reply to ping higher than 100 bytes and the ADP was responsible of this. When you turn off the ADP in the security policy, you can ping with a MTU higher than 100.Thanks a lot for your help,Have a nice day,Jordan.0
All Replies
-
VLAN 700 base port is wan1? And you SNAT the LAN1?
Does your ISP require a VLAN? Could you test with a VLAN switch to tag incoming VLAN and untag the port to wan1 and see what happens.
0 -
Can you test the MTU size between your PC to the destination server, first ?
Path MTU tool: https://www.iea-software.com/products/mtupath/
e.g.
C:\>mtupath.exe www.google.com
MTU path scan to www.google.com (216.58.200.228), ttl=64, limit=48
# 16 processing - best MSS 1472 (estimated MTU 1500) [pPPPPpPppPpppppp]
# 01 nearest minimum MTU on local interface
#1 MSS IN RANGE 1 <== 1471 ==> 1472
#2 MSS EXCEEDED 1473 <== 14911 ==> 16384Default MTU of USG is 1500.
There are many routers between your PC to destination server.
If any node in whole of path doesn’t allow MTU size over 1500, then packets will drop by that router.
After you got “estimated MTU”, you can change MTU size on your VLAN interface.
0 -
Hi everyone,Thanks a lot for your replies,PeterUK said:
VLAN 700 base port is wan1? And you SNAT the LAN1?
Does your ISP require a VLAN? Could you test with a VLAN switch to tag incoming VLAN and untag the port to wan1 and see what happens.
I cannot test with a switch between the devices, I sadly do not have physical access to our zyxel router.Zyxel_Stanley said:Can you test the MTU size between your PC to the destination server, first ?
Path MTU tool: https://www.iea-software.com/products/mtupath/
e.g.
C:\>mtupath.exe www.google.com
MTU path scan to www.google.com (216.58.200.228), ttl=64, limit=48
# 16 processing - best MSS 1472 (estimated MTU 1500) [pPPPPpPppPpppppp]
# 01 nearest minimum MTU on local interface
#1 MSS IN RANGE 1 <== 1471 ==> 1472
#2 MSS EXCEEDED 1473 <== 14911 ==> 16384Default MTU of USG is 1500.
There are many routers between your PC to destination server.
If any node in whole of path doesn’t allow MTU size over 1500, then packets will drop by that router.
After you got “estimated MTU”, you can change MTU size on your VLAN interface.
So I did a MTUpath from the faulty zyxel to google.ch, here are the results:
C:\>mtupath.exe google.ch
MTU path scan to google.ch (172.217.170.3), ttl=64, limit=48
# 16 processing - best MSS 1472 (estimated MTU 1500) [pPPPPpPppPpppppp]
# 01 nearest minimum MTU on local interface
#1 MSS IN RANGE 1 <== 1471 ==> 1472
#2 MSS EXCEEDED 1473 <== 14911 ==> 16384And here are the results from the outside to the public IP of the Zyxel:\>mtupath.exe 197.2XX.XXX.XXX
MTU path scan to 197.2XX.XXX.XXX, ttl=64, limit=48
# 16 processing - best MSS 100 (estimated MTU 128) [p********pp***pp]
#1 MSS IN RANGE 1 <== 99 ==> 100
#2 SCAN TIMEOUT 101 <== 16283 ==> 16384
[WARNING] Minimum IPv4 Internet MTU of 576 was not reached
[WARNING] Possible PMTU blackhole in route to peerCheers,Jordan.
0 -
The pathMTU tool can only find the maximum MTU can pass to destination server in whole of the path.
You can also use trace route to find all of hops to destination, and test pathMTU again to find the router which doesn’t allow larger MTU.
C:\>tracert -d 8.8.8.8In the usual, the routers are maintained by service provider. So the only way is reporting this situation to your service provider.
According to your situation, what’s server address and service port doesn’t work in your environment?
0 -
Hi,Thanks again for your answer,I think we found what was the problem and in fact there was no problem with the MTU at all, that was bad track.I have noticed that all of our Zyxel routers doesn't reply to ping higher than 100 bytes and the ADP was responsible of this. When you turn off the ADP in the security policy, you can ping with a MTU higher than 100.Thanks a lot for your help,Have a nice day,Jordan.0
-
0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 218 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 245 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3.1K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight