URL that times out for some users and not others ...

[Alex Satrapa]

On 08/02/2007, at 11:58 , Ashley Aitken wrote:

> On 08/02/2007, at 7:09 AM, Alex Satrapa wrote:
>
>> Ashley should read up on "path MTU discovery" and the problems  
>> that are associated with it.
>
> Do you mean me (Ashley) or Michael (or both of us)?

Oh... I mean the person who reported the original problem. In fact,  
it's useful reading for anyone who administers machines connected to  
the Internet, regardless of whether you're responsible for the  
network or only application support – it's the applications that will  
display the symptoms so it helps if you're aware of the issue.

> Whilst I am here I might as well ask.  I have a basic understanding  
> of MTU but generally speaking, is one required to set the MTU to  
> the minimum of all the hops within the packets path, so that larger  
> packets don't get fragmented?  When such packets reach networks  
> that have a large MTU are they combined or are the packets sent  
> through only partially full.  When packets are coming the other  
> way, I guess they are split up automatically and there is nothing  
> that can be done about that.

The MTU needs to be set to the minimum of all the hops between your  
machine and the target machine but only after the router/firewall  
that is (wrongly) dropping ICMP packets.

The short version: when a packet is too big to get through a router,  
the router will either fragment the packet and no harm is done, or  
drop the packet back because the packet is marked, "DO NOT FRAGMENT",  
and send an ICMP message to the origin saying, "MUST fragment!"

Incorrectly configured firewalls will drop ICMP packets, meaning the  
originating machine never gets the message that the packets are too big.

The long version: http://en.wikipedia.org/wiki/Path_MTU_discovery

The main reason routers get broken this way (dropping ICMP) is that  
administrators think they're preventing DDoS attacks on their  
services while in fact they are making their router part of a bigger  
problem and not getting any shelter from DDoS (which will use means  
other than ICMP). But there is the other camp of administrators  
(usually Windows admins) who feel that blocking ICMP is a fair way to  
exercise their control over their network. But I'll leave that  
soapbox for another day.

Another reason that Path MTU ends up breaking things is that some  
consumer level routers are just plain broken - when someone tries to  
send a 1500 byte packet over the 1470 byte MTU ADSL link, the router  
just drops the packet because it doesn't know what to do.

Well, I've certainly got some ideas for my next soapbox – I mean,  
blog entry...