Troubleshooting PMTU Black Hole Routers

Some routers do not send an "ICMP Destination Unreachable" message when they cannot forward an IP datagram. Instead, they ignore the datagram. Typically, an IP datagram cannot be forwarded because its maximum segment size is too large for the receiving server, and the Don't Fragment bit is set in the header of the datagram. Routers that ignore these datagrams and send no message are called PMTU black hole routers.

To respond effectively to black hole routers, you must enable the Path MTUBH Detect feature of TCP/IP. Path MTUBH Detect recognizes repeated unacknowledged transmissions and responds by turning off the Don't Fragment bit. After a datagram is transmitted successfully, it reduces the maximum segment size and turns the Don't Fragment bit on again.

The Path MTUBH Detect feature is disabled by default, but you can enable it by adding the EnablePMTUBHDetect entry to the registry and setting its value to 1 . EnablePMTUBHDetect is an optional entry that does not appear in the registry unless you add it. You must place it in:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip \Parameters.

You can disable Path MTUBH Detect by deleting EnablePMTUBHDetect from the registry or by setting the entry's value to 0 .

A second registry entry, EnablePMTUDiscovery , also helps address the PMTU black hole router problem. This key is enabled by default. EnablePMTUDiscovery completely enables or disables the PMTU discovery mechanism.When PMTU discovery is disabled, a TCP Maximum Segment Size (MSS)of 536 bytes is used for all non-local destination addresses.

Discovering PMTU with Ping

The PMTU between two hosts can be discovered manually using the ping   -f command, as follows:

ping -f -n < number of pings > -l < size > < destination IP address >

The following example shows how Ping's size parameter can be varied until the MTU is found. Note that Ping's size parameter specifies just the size of the ICMP Echo Request data to send, not including the IP and ICMP Echo Request headers. The ICMP Echo Request header is 8 bytes, and the IP header is normally 20 bytes. In the Ethernet case shown here, the link layer MTU contains the maximum-sized Ping buffer plus 28, for a total of 1500 bytes on the first ping and 1501 on the second:

C:\>ping -f -n 1 -l 1472

Pinging with 1472 bytes of data:

Reply from bytes=1472 time<10ms TTL=128

Ping statistics for

Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>ping -f -n 1 -l 1473

Pinging with 1473 bytes of data:

Packet needs to be fragmented but DF set.

Ping statistics for

Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

In the second ping, the IP layer returns an ICMP error message that Ping interprets. If the router had been a black hole router, Ping would not be answered once its size exceeded the MTU that the router could handle. Ping can be used in this manner to detect such a router.