As shown in figure, the firewall configure intranet Server NAT Server and NAT Outbound, the intranet Server gateway set as the IP address of the interface SW S6500 connect to the intranet, ping big packet from intranet Server to extranet is impassable, but ping big packet between the intranet is normally.
1, from intranet server to ping gateway S6500, packet length is 5000, it is normal. From S8508 to ping the extranet destination address, packet length is 5000, and the result is normal too. But from S6500 and S8508 to ping respectively, packet length is 5000, all are impassable. So can eliminate the reason 2.
2, in the firewall execute command firewall fragment - cache enable, open the message fragment cache function, fault is still exist, so can eliminate the reason one , positioning the reason three.
3, check the configuration, find configured firewall defend icmp - large enable, and the maximum value is 4000.
4, in the system view to execute undo command firewall defend large - icmp enable, or execute command firewall defend large - icmp Max - lengthlength, increase the length value.
Reason one: firewall NAT configured to big packet fragment exception lead to big packet impassability.
Reason two: the link from S8508 to the destination address has the device does not support big packet fragment.
Reason three: attack defense configuration error lead to big packet cannot ping pass.