</p><p> How-to</p><p>

MTU size and path MTU Discovery in MailGate

Summary

The article provides information about the Maximum Transmission Unit (MTU) packet size and path MTU discovery in MailGate.

Details

Every network link has a maximum packet size called Maximum Transmission Unit (MTU). The full path from one server to another may travel across many links with different MTU sizes. The smallest MTU for all the links in a given path would be the path MTU.

If a packet starts out on a network segment with a large MTU, it may arrive at a link with a smaller MTU and be too large to fit. Most servers are on segments with large MTU sizes, however it is not uncommon for a MailGate server to contact a server via links with reduced MTU size, and it is common for some packets to be too big.

The original approach to the problem was to send only small packets corresponding to the TCP/IP default MTU (576 bytes).

MailGate uses the newer approach to try to optimize its transmission by discovering the path MTU and sending packets of the maximum size. The procedure for doing this is standardized and published as RFC 1191.

The procedure is that MailGate sends the largest packet size (1500), and if it would not fit then a notification should be sent back with the largest packets the receiving side supports. The notifications arrive as ICMP (Internet Control Message Protocol) packets known as "fragmentation needed" ICMPs (ICMP type 3, subtype 4). The notifications are requested by setting the "do not fragment" (DF) bit in packets that are sent out.

Some network and system administrators may consider all ICMPs as potentially unsafe and block them all, essentially disabling path MTU discovery. Of the several dozen ICMP types and subtypes, some might be considered unsafe, but the risk is mostly moderate and is of the "Denial of Service" nature.

By blocking ICMP 3.4 the administrators effectively turn off path MTU discovery on their MailGate systems and they might start to experience mail delivery issues, usually found in message tracking logged with errors: Failed [lost connection with "relay host" while sending end of data - message may be sent more than once]

The recommended resolution is to allow ICMP 3.4 on the firewall facing Internet.

Alternatively, it is possible to revert to the original approach by using TCP/IP default MTU (576 bytes). To do this you may request Global Support to hardcode the lower MTU value of 576 in your MailGate network configuration. However, it is possible that during upgrade the change is lost and might need to be redone.