No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Security policy configuration problem lead to intranet Server can’t ping pass to extranet big packet.

Publication Date:  2012-10-26 Views:  131 Downloads:  0

Issue Description

As shown in figure, the firewall configure intranet Server NAT Server and NAT Outbound, the intranet Server gateway set as the IP address of the interface SW S6500 connect to the intranet, ping big packet from intranet Server to extranet is impassable, but ping big packet between the intranet is normally.

Alarm Information


Handling Process

1, from intranet server to ping gateway S6500, packet length is 5000, it is normal. From S8508 to ping the extranet destination address, packet length is 5000, and the result is normal too. But from S6500 and S8508 to ping respectively, packet length is 5000, all are impassable. So can eliminate the reason 2.
2, in the firewall execute command firewall fragment - cache enable, open the message fragment cache function, fault is still exist, so can eliminate the reason one , positioning the reason three.
3, check the configuration, find configured firewall defend icmp - large enable, and the maximum value is 4000.
4, in the system view to execute undo command firewall defend large - icmp enable, or execute command firewall defend large - icmp Max - lengthlength, increase the length value.

Root Cause

Reason one: firewall NAT configured to big packet fragment exception lead to big packet impassability.
Reason two: the link from S8508 to the destination address has the device does not support big packet fragment.
Reason three: attack defense configuration error lead to big packet cannot ping pass.