Posts Tagged GRE

Blocking ICMP

This is old news, real old, but I still run across it from time to time.  Customers block ICMP in their firewall or other places.

Internet Control Messaging Protocol is more than just ping (I remember the early Mac’s didn’t implement ICMP or at least echo/ping in their IP stack).

ICMP among other things tells equipment up and down the line a few interesting things, not least is when they need to fragment a packet into smaller packets.  Symptoms range from telnet or web works and email or ftp don’t, some of the time.  In short to the casual observer (known as a user), it is one more thing that works randomly.

Nowadays it’s more important then ever with the proliferation of VPN’s,  to get your fragging done as thoroughly as possible, before the packet gets sucked into the VPN terminus.  Why?  You cant fragment an encrypted packet, in fact it’s not even TCP (IP Protocol type 9) anymore it is type 50/ESP or type 47/GRE, and because it’s encrypted you really cant bust it into smaller parts and calculate checksums, etc.

Exchange clients don’t work on all workstations across VPN’s?  There were various versions of MS patches hat appeared to break the MTU discovery mechanism that says use smaller packets.


, , , , , , , , , ,

No Comments