[nsp] ICMP: time exceeded (reassembly)

Bulger, Tim TBulger at ea.com
Tue Feb 3 00:47:25 EST 2004

The router sends ICMP messages because for the tunnel packets, it acts
as a host.  It only acts as a router for the tunnel payload.  If the MTU
of your tunnel interfaces is 1476, there should be no fragmentation of
the tunnel packets themselves unless an interface on the path between
endpoints has a lower MTU than your endpoints.  It is quite possible
that a firewall or ACL (more likely) is blocking those fragments,
resulting in reassembly timeouts.

Good luck,

-----Original Message-----
From: Victor Sudakov [mailto:sudakov at sibptus.tomsk.ru] 
Sent: Monday, February 02, 2004 8:50 PM
To: cisco-nsp at puck.nether.net
Subject: [nsp] ICMP: time exceeded (reassembly)


A GRE tunnel is configured between a Cisco router and a FreeBSD host.
The config on the router is:

interface Tunnel5
 description test
 ip address
 ip verify unicast reverse-path
 tunnel source
 tunnel destination

The problem is that large datagrams cannot pass through the tunnel
and the router sends the following ICMP messages to the other tunnel

24782: ICMP: time exceeded (reassembly) sent to (dest
24783: ICMP: time exceeded (reassembly) sent to (dest
24826: ICMP: time exceeded (reassembly) sent to (dest

I suppose the datagrams get fragmented because packets are larger than
the tunnel MTU which is the default 1476 on both sides. My question is
why is the router unable to reassemble the fragments?

RFC792 reads:


   ICMP Fields:




      0 = time to live exceeded in transit;

      1 = fragment reassembly time exceeded.



      If the gateway processing a datagram finds the time to live field
      is zero it must discard the datagram.  The gateway may also notify
      the source host via the time exceeded message.

      If a host reassembling a fragmented datagram cannot complete the
      reassembly due to missing fragments within its time limit it
      discards the datagram, and it may send a time exceeded message.

      If fragment zero is not available then no time exceeded need be
      sent at all.

      Code 0 may be received from a gateway.  Code 1 may be received
      from a host.

Looks like a Cisco router is not supposed to send Code 1 messages at
all, because it is a router and not a host.

Any help is appreciated.

Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
cisco-nsp mailing list  cisco-nsp at puck.nether.net
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list