VyOS 1.2.3 and ICMP fragmentation


I noticed something strange today regarding ICMP traffic sent though my VyOS 1.2.3 router.

I have two VyOS router side by side - A (VyOS 1.1.8) and B (VyOS 1.2.3). Both routers are used to connect an AWS VPC (site 1) and a private data center (site 2) via IPSec. The two routers are not connected to each other. Routes are distributed via BGP.

When I send ICMP traffic from site 1 to site 2 via router A that exceeds the maximum MTU, I can clearly see the PMTUD packet being sent back from router A instructing the host to reduce the MTU. The packet size is reduced and the ICMP responses are received. Testing via router B, no PMTUD message is received and the ICMP responses are not received.

Secondly, when ICMP is specifically instructed NOT to set DF (-M dont) and I perform the same test with say, a packet size of 1500, ICMP via router A is fragmented correctly and the ICMP responses are received. Again, this is not the case via router B and no responses are received.

I don’t use firewall config at all on my VyOS routers and ICMP traffic is allowed elsewhere in both site 1 and 2. Are there additional config that need to be applied on the newer version of VyOS or any ideas why this could be? The interface configuration on both routers are identical in term of MTU size configuration on the different interface types.

Thanks in advance.

Resolved by explicitly setting MTU on tunnel GRE interfaces. I have not had to do this in v.1.1.8. Anyway, hope this helps someone else.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.