Q: How do I use debug to see "ICMP can't fragment" errors generated by or passing through a router?
A: The command
#debug ip icmp will result in the following debug messages, if there are such errors:
ICMP: dst (10.10.10.10) frag. needed and DF set unreachable sent to 10.1.1.1These "unreachable" messages must be allowed. If you are filtering ICMP, don't just use
deny icmp any any. Make sure your interface access lists allow unreachable messages, as follows:
access-list 101 permit icmp any any unreachable access-list 101 permit icmp any any time-exceeded access-list 101 permit icmp any any source-quench access-list 101 deny icmp any any
<< Home