Ping with packet size greater than 996 is not working

Ping with packet size greater than 996 is not working

18901
Created On 09/26/18 13:48 PM - Last Updated 04/20/20 23:58 PM
Resolution

Issue

A ping to a host/server with packet size of 997 bytes or more is not working.

Untitled1.png

 

Cause

The issue may be occurring due to a configuration that enables packet drop for any packet larger than 1024 bytes in the zone protection profile assigned to the source zone of the originating ping.

 

Each ping packet as an overhead of 28 bytes. Therefore, the actual byte size of ping packet will be n+28, where n is the byte size that is used to ping. For the example above, the sizes are:

  • 996+28=1024, resulting in a successful ping
  • 997+28=1025, resulting in an unsuccessful ping

 

Resolution

  1. Go to Network > Network Profiles > Zone Protection.
  2. Select the zone protection profile that is assigned to the zone covering the ping source.
  3. Go to Packet Based Attack Protection > ICMP Drop.
  4. Disable the option for ICMP Large Packet(>1024):
    Untitled.png
  5. Click 'OK' and commit the changes.

 

Verification

The following output shows an example where the ICMP Large Packet(>1024) option has been disabled:

Untitled2.png

 

owner: rchougale



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClpQCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language