16

I had this issue where I was only able to connect to websites like google.com and ibm.com when the mtu was set at 1500, but if I tried to connect to anything else, it would just show a blank page. When the mtu was lowered to 1499, it started working. I am curious as to why this works and if having the mtu set at 1499 could cause problems in the future? I actually don't know much about this, I just heard about it and am looking for a good explanation.

When I get an explanation of why the MTU was dropped by only 1 byte, I will update my question with the explanation.

Xaisoft
  • 293
  • 3
  • 10

2 Answers2

19

That may mean some other device upstream from you has a smaller mtu and someone has mis-configured a firewall to block all ICMP preventing MTU discovery for the path.

Many naive network administrators seem to believe that ICMP has no purpose and you can completely block it without any repercussions.

Zoredache
  • 128,755
  • 40
  • 271
  • 413
  • 4
    1499 seems weird, though. Smaller MTUs are usually the result of tacking on another header (e.g. PPPoE, VPNs, VLANs, etc) which shrink the MTU by some even number. For example 4 bytes for 802.1q or 8 bytes for PPPoE. What would use up just 1 byte? – Gerald Combs Sep 30 '09 at 19:38
  • @Gerald, that is a good, and the number seems odd to me as well. Perhaps someone else will offer up a possible explanation. – Zoredache Sep 30 '09 at 20:08
  • Gerald, I will find out why it was just 1 byte. – Xaisoft Sep 30 '09 at 20:10
  • The wireless network engineer at my company set it at 1499, so I will find out why and let you know. I am totally oblivious to all this stuff, lol. – Xaisoft Sep 30 '09 at 20:11
  • 2
    Might be a router/firewall/etc somewhere misconfigured to catch packets with 1500+ MTU instead of >1500 MTU. – Chris S Dec 05 '10 at 15:39
8

To be more specific, what's happening is that the IP datagrams have the DF (Don't Fragment) flag set in their headers. They then hit a gateway somewhere along the path between you and the destination which has a smaller MTU than the one that the sender used. That gateway needs to fragment the datagrams further, so it sends an ICMP type 4 message, which essentially means, "I need to fragment these packets, but you said not to. So the destination is therefore unreachable."

Those ICMP packets are not received by the original sender because some gateway along the path has been configured (foolishly) to block all ICMP. So the sender doesn't know that his packets didn't get through and sits around waiting... and waiting. Eventually something will time out. Usually it's the human that times out first. :)

DictatorBob
  • 1,614
  • 11
  • 15