5.x can ping 25152 bytes but not 25153

Robert Watson rwatson at freebsd.org
Sat Jan 8 16:33:17 PST 2005

On Sat, 8 Jan 2005, Jay Teutenberg wrote:

> We are up against an interesting problem. 
> We have several FBSD servers, the ones that are 5.x do not seem to be
> able to respond to pings larger than 25152, but 4.x kernels can. 
> We are getting I/O errors from sendmail and want to make sure our
> networking is ok. We have tried swapping cables, ports in the cisco cat
> 2912, swapped 3com905's, no luck. 
> Thanks all, my apologies if this is a bikeshed, I did my best to
> research it. Found some postings in this group last year where someone
> mentions this phenomena, but no fix or answer was offered. 
> http://lists.freebsd.org/pipermail/freebsd-questions/2004-April/044070.html

This is probably due to resource limits on the maximum number of fragments
that may be supported for an IP packet.  You can take a look at the
fragment limits using sysctl:

  net.inet.ip.maxfragpackets: 800
  net.inet.ip.maxfragsperpacket: 16

If you increase maxfragsperpacket, you should be able to see FreeBSD
clients and servers handle ICMP pings larger in size.  These resources
limits were put in place to address a widely observed denial of service
attack involving the delivery of many small fragments to hosts in a form
that prevents reassembly but consumes large amounts of memory and CPU.
Let me know if tweaking the above doesn't help, though!


Robert N M Watson

More information about the freebsd-questions mailing list