MPLS VPN Service is unreachable because of MTU Problem

Created Mar 28, 2016 11:11:31Latest reply Mar 28, 2016 22:56:27 1184 1 0 0

The topology can be referred to the attachment.
VPN user cannot access web server A, but it can normally access web server B.
PC, server A and server B belong to one VPN. Server A and server B are under different PE.

  • x
  • convention:

Osaideo     Created Mar 28, 2016 22:56:27 Helpful(0) Helpful(0)

Alarm Information
Null
Handling Process

1. Check whether MPLS VPN service is normal or not.
         a. On PE M-BGP connection is established.
         b. RT configuration is correct.
         c. PE can learn private network information of opposite PE.
         d. Label distribution is tagged correct public/private network label.
2. Check web server A.
        a. Web service is normal.
3. Check MTU.
       a. Capture packet and it is found that web server sends the packet on IP layer whose length is 1496. The packet is non-fragmented.
          When the packet enters into MPLS network, it is 1496+8(MPLS*2)=1504.
       b. Delete firewall denies ICMP packet configuration and PC pings the packet of -f  -l 1464, but it cannot ping -f -l 1465.
             It indicates that Path MTU is 1464+8(MPLS*2)+8(ICMP)+20(IP) =1500.
       c. Check network device and it is found that label switch MTU on C12012 is 1500. So the packet with the length of 1504 cannot pass.
Root Cause

1. Is MPLS VPN service between NE80-A and NE80-B problematic?
         a. M-BGP does not set up connection.
         b. RT configuration is not right.
         c. The route of private network route information is wrong.
         d. LDP does not correctly distribute public network label.
         e. M-BGP wrongly distributes private network label.
2. Is web server A problematic?
        a. Http service of web server is not enabled.
        b. It disconnects with network.
3. Is MTU problematic?
        If web server sends packet too large and the packet exceed MTU of some network device and DF=1. The packet cannot pass. And then the network device will reply ICMP unreachable packet. If web server receives the packet, it auto reduces the size of sending packet (MTU discovery).
Solution
Suggestions

There are two reasons:
1. Web server sends the packet that cannot be fragmented. After the packet that the web server sends adds two layers of MPLS label, it exceeds MTU of intermediate network device. The packet is discarded.
2. The firewall denies ICMP packet and path MTU discovery cannot be used.
Note:
Basic idea of path MTU discovery: Suppose MTU from source host to destination host is that of the first interface of source host sending the packet. DF Bit of IP header of all IP packets to the host is set as 1. Some router in this forwarding path received the packet. When it forwards the packet to some outbound interface, it finds that the packet is larger than MTU of the outbound interface and DF bit is 1. The router will discard the packet and return one ICMP destination address unreachable packet (type 3, code 4, fragment needed but don't-fragment bit set) to inform source host of discarded packet. After the source host receives ICMP packet, it reduces PMTU of this supposed path.
  • x
  • convention:

Responses

Reply
You need to log in to reply to the post Login | Register

Notice:To ensure the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but not limited to politically sensitive content, content concerning pornography, gambling, drug abuse and trafficking, content that may disclose or infringe upon others' intellectual properties, including commercial secrets, trade marks, copyrights, and patents, and personal privacy. Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see“ Privacy Policy.”
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top