Just a thought, so this may not apply to your situation.
A "possible" cause for this could be your "udp_pmtu_discover" and
"tcp_pmtu_discover" settings. We had the same problem of large ICMP packets
coming from our 5.x AIX boxes. Do a "netstat -r" and check to see if you
have entries with "1500" under the PMTU column. As long as we had "1500"
showing up in this output, our sniffers were showing large ICMP packets
originating from our boxes. Setting the "udp_pmtu_discover" and
"tcp_pmtu_discover" option to 0 fixed the problem.....turning it off. After
performing the following steps, the "1500" entries went away and our
sniffers stopped showing large ICMP packets coming from our boxes.
BTW....Netview had nothing to do with this problem....it is an AIX setting
that, by default, should be turned off.
1. Check to see if enabled....
run.... no -a |grep pmtu_discover
If the output comes back with both equaling "1" then it is enabled
2. To disable on AIX 4.3 - 5.1
run.... no -o udp_pmtu_discover=0
run.... no -o tcp_pmtu_discover=0
For AIX 5.2, add a "-p" flag,(no -o -p ......)This will update the nextboot
file under /etc/tunables directory.
3. Edit /etc/rc.net for it to be disabled at reboots for AIX 4.3 - 5.1
add the following lines at the "no" section found at the end of the file.
/usr/sbin/no -o tcp_pmtu_discover=0 >>/dev/null 2>&1
/usr/sbin/no -o udp_pmtu_discover=0 >>/dev/null 2>&1
This fixed it for us on all of our AIX boxes.
Channing Hill
EMS Analyst II
BB&T
(252) 246-3642
-----Original Message-----
From: Paul [mailto:pstroud@bellsouth.net]
Sent: Monday, December 08, 2003 7:35 PM
To: nv-l@lists.us.ibm.com
Subject: Re: [nv-l] ICMP packetsize
Are you running anything else on the NetView machine?
I would not expect to see a ping that large coming
from netmon. If you would like, post a hex dump of the
packet. I wouldn't mind looking at it....
Paul
W.M.de.Bruin@dnb.nl wrote:
> Good morning all,
> in our firewall we see large ICMP packets coming from Netview. These
> packets are being considered an attack by the firewall as they are too
> large. (1464 bytes). Why is Netview sending such large ICMP queries? I
> have tried pinging from the commandline of the NMS (AIX 5.0) and then
> we have ICMP packets of a "normal" size. (64 bytes) Is there a way to
> set the ICMP packetzsize that Netview uses?
>
> Regards
> Wouter de Bruin
> Network Management Specialist
>
> ´Externe E-Mail wordt door DNB niet gebruikt voor het aangaan van
> verplichtingen`
>
>
>
> ´Any e-mail messages from The Nederlandsche Bank are given in good
> faith but shall not be binding nor shall they be construed as
> constituting any obligation on the part of the Bank.`
>
>
>
>
>
|