Questions: Path MTU Discovery and Handling MTU Issues
5 questions to test your understanding
Score: 0 / 5
Question 1 Multiple Choice
A TCP connection establishes successfully — the handshake completes and small messages transfer fine — but the connection hangs every time a large file transfer begins. Pings to the same host succeed. The DF flag is set on data packets. What is the most likely cause?
ATCP's congestion window is collapsing due to a slow uplink
BICMP Fragmentation Needed messages are being blocked by a firewall, preventing PMTUD from reducing the packet size
CThe server's MSS advertisement during the handshake is misconfigured too large
DThe local network interface MTU is smaller than 1500 bytes, causing the initial path MTU estimate to be wrong
This is the classic PMTUD black hole symptom. Small packets (SYN, ACK, short messages) fit within every link's MTU and pass through fine. Large data packets with DF set exceed some intermediate link's MTU, so that router drops them and sends ICMP Fragmentation Needed back to the sender. But if a firewall blocks all ICMP, the sender never receives this feedback — it keeps retransmitting the same oversized packets, which keep getting dropped silently. The connection stalls indefinitely. The handshake works because small control packets are not affected by the MTU bottleneck.
Question 2 Multiple Choice
What is the purpose of setting the DF (Don't Fragment) flag in PMTUD, given that allowing fragmentation seems simpler?
ADF prevents TCP reassembly at the destination from being overloaded by fragments
BDF forces routers to send ICMP feedback when a packet is too large, so the sender can learn the bottleneck MTU and avoid fragmentation entirely
CDF is required by the TCP specification and is set automatically regardless of PMTUD
DDF prevents intermediate routers from modifying the packet payload in transit
PMTUD's goal is to discover and avoid fragmentation, not just work around it. Fragmentation wastes bandwidth on duplicate headers, adds reassembly latency, and forces full packet retransmission if any fragment is lost. By setting DF, the sender forces routers to send ICMP Fragmentation Needed when a packet is too large rather than silently fragmenting it. This feedback tells the sender exactly how much to shrink its packets, enabling efficient large transfers without fragmentation overhead.
Question 3 True / False
Blocking most ICMP traffic at a firewall improves security without affecting TCP functionality like Path MTU Discovery.
TTrue
FFalse
Answer: False
ICMP is not optional for correct TCP operation. PMTUD depends entirely on receiving ICMP Fragmentation Needed messages from bottleneck routers. Blocking ICMP creates a black hole: oversized packets with DF set are dropped silently, the sender never receives feedback, and large transfers stall. The firewall administrator may believe they're improving security, but they're breaking a fundamental IP mechanism. Selective ICMP filtering — allowing Fragmentation Needed (Type 3, Code 4) while blocking echo requests — is the correct approach.
Question 4 True / False
When a router encounters a packet larger than its outgoing link's MTU with the DF flag set, it sends back an ICMP Fragmentation Needed message containing the MTU of the bottleneck link.
TTrue
FFalse
Answer: True
This is the core mechanism of PMTUD. The router cannot fragment the packet (DF is set) so it drops it and sends ICMP Type 3, Code 4 (Destination Unreachable: Fragmentation Needed), including the Next-Hop MTU field — the MTU of the link the packet couldn't traverse. The sender uses this to reduce packet size and retransmit. This process repeats at each bottleneck until packets pass through every link without hitting an MTU ceiling.
Question 5 Short Answer
Why do PMTUD black holes cause connections to fail only during large data transfers and not during the TCP handshake or small request exchanges?
Think about your answer, then reveal below.
Model answer: Handshake packets (SYN, SYN-ACK, ACK) and small messages carry no large payload and fit easily within any link's MTU — typically well under 576 bytes. Only when actual data transfer begins do packets grow to the negotiated MSS size — typically 1460 bytes of data plus 40 bytes of IP/TCP headers, totaling 1500 bytes (standard Ethernet MTU). If any link along the path has a smaller MTU (e.g., a VPN at 1400 bytes or PPPoE at 1492 bytes), only those large data packets exceed the limit and get silently dropped.
This asymmetry — small packets work, large ones silently fail — is the diagnostic clue pointing to an MTU problem. Network engineers test for this by sending pings with large payloads and the DF flag set. The symptom of 'browsing works but file downloads hang' almost always indicates a PMTUD black hole.