Question & Answer
Question
Why are my ping packets failing when I ping using a packet size greater than 1472 bytes?
Cause
One possibility that could cause this type of failure is if AIX utility aixpert has been activated. When activated aixpert will create a series of shun host filters rules that will block certain types of packets.
Answer
Check to see if the ipsec_v4 device is in the available state
# lsdev -C |grep ipsec
ipsec_v4 Available IP Version 4 Security Extension
ipsec_v6 Available IP Version 6 Security Extension
If the ipsec_v4 device is not available then the problem you are facing has to be debugged further and no need in continuing with this document.
If however the ipsec_v4 device is available proceed with the rest of this document for a possible solution.
List the IPSec filter rules. You may have to redirect the output to a file and examine the file to find the rule that is causing the problem.
# lsfilt -v4 > lsfilt.out.
In this example ipsec_v4 was available on destination host 10.0.0.24. Here is one rule from the lsfilt output.
# lsfilt -v4 |grep -p 10.0.0.24
Rule 59:
Rule action : shun_host <---
Source Address : 0.0.0.0
Source Mask : 0.0.0.0
Destination Address : 10.0.0.24
Destination Mask : 255.255.255.255
Source Routing : yes
Protocol : all
Source Port : any 0
Destination Port : eq 200
Scope : both
Direction : both
Logging control : no
Fragment control : all packets <----
Tunnel ID number : 0
Interface : all
Auto-Generated : no
Expiration Time : 300
Description :
The above rule caused incoming ping packets to fail when the client used a packet size greater than 1472 bytes. It failed because the incoming packet was fragmented. The above rule was on the destination host which was at 10.0.0.24.
Ping with size greater than 1472 bytes failed because the shun_host Rule action set this option by default:
Fragment control : all packets
In most cases aixpert has been invoked mistakenly or invoked but not considering the results of this action.
If you find that you do not need aixpert and ipsec you can remove them by doing the following:
# aixpert -u
# rmdev -dl ipsec_v4
# rmdev -dl ipsec_v6
If you determine that you indeed need aixpert and ipsec make the following change to the shun_host rule(s) and update and activate the rule(s) after making the change.
Change Fragment control : all packets
To
Fragment control : fragment headers and unfragmented packets only.
After implementing the change ping will not fail when pinging with a size greater than 1472 bytes when aixpert is configured using shun_host rules.
[{"Product":{"code":"SWG10","label":"AIX"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"APARs - AIX 7.1 environment","Platform":[{"code":"PF002","label":"AIX"}],"Version":"6.1;7.1","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
isg3T1024503