[nsp] ICMP: time exceeded (reassembly)
TBulger at ea.com
Tue Feb 3 00:47:25 EST 2004
The router sends ICMP messages because for the tunnel packets, it acts
as a host. It only acts as a router for the tunnel payload. If the MTU
of your tunnel interfaces is 1476, there should be no fragmentation of
the tunnel packets themselves unless an interface on the path between
endpoints has a lower MTU than your endpoints. It is quite possible
that a firewall or ACL (more likely) is blocking those fragments,
resulting in reassembly timeouts.
From: Victor Sudakov [mailto:sudakov at sibptus.tomsk.ru]
Sent: Monday, February 02, 2004 8:50 PM
To: cisco-nsp at puck.nether.net
Subject: [nsp] ICMP: time exceeded (reassembly)
A GRE tunnel is configured between a Cisco router and a FreeBSD host.
The config on the router is:
ip address 220.127.116.11 255.255.255.252
ip verify unicast reverse-path
tunnel source 18.104.22.168
tunnel destination 22.214.171.124
The problem is that large datagrams cannot pass through the tunnel
and the router sends the following ICMP messages to the other tunnel
24782: ICMP: time exceeded (reassembly) sent to 126.96.36.199 (dest
24783: ICMP: time exceeded (reassembly) sent to 188.8.131.52 (dest
24826: ICMP: time exceeded (reassembly) sent to 184.108.40.206 (dest
I suppose the datagrams get fragmented because packets are larger than
the tunnel MTU which is the default 1476 on both sides. My question is
why is the router unable to reassemble the fragments?
0 = time to live exceeded in transit;
1 = fragment reassembly time exceeded.
If the gateway processing a datagram finds the time to live field
is zero it must discard the datagram. The gateway may also notify
the source host via the time exceeded message.
If a host reassembling a fragmented datagram cannot complete the
reassembly due to missing fragments within its time limit it
discards the datagram, and it may send a time exceeded message.
If fragment zero is not available then no time exceeded need be
sent at all.
Code 0 may be received from a gateway. Code 1 may be received
from a host.
Looks like a Cisco router is not supposed to send Code 1 messages at
all, because it is a router and not a host.
Any help is appreciated.
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
cisco-nsp mailing list cisco-nsp at puck.nether.net
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp