How is packet handled when DF bit is set?

Summary

Packets larger than the MTU may still be fragmented even when the DF (Don’t Fragment) bit is set, depending on tunnel configuration and software version behavior changes introduced after R5.2.2.

Question

Why is a packet fragmented even if the DF bit is set after R5.2.2?

Customer Environment

SZ124 R5.2.2

Symptoms

  • Packets exceeding MTU are fragmented despite the DF bit being set.
  • Expected ICMP “Fragmentation Needed” messages or packet drops may not occur.
  • Behavior differs between R5.2.1, R5.2.2, and later releases (R6.1).

Root Cause

Packet-handling logic for DF-bit–set traffic over tunnels was modified after R5.2.2. The change caused packets to be fragmented under certain tunnel configurations even when the DF bit was set, which deviated from earlier behavior.

Troubleshooting Steps

  1. Verify the packet size against the configured MTU.
  2. Check tunnel configuration flags, especially:
    • PMTU
    • PMTU Discovery
    • Force Fragmentation
  3. Confirm the software version (R5.2.1 vs R5.2.2 or later).
  4. Observe whether ICMP “fragmentation needed” messages are generated or whether packets are fragmented or dropped.

Workaround

  • Disable Force Fragmentation if strict DF behavior is required.
  • Adjust MTU or application packet size to avoid fragmentation.
  • Upgrade to a version where ER-11149 is fixed if consistent DF handling is required.

Resolution

Packet handling for traffic with the DF bit set and packet size exceeding MTU is governed by tunnel configuration flags as shown below:

------ TUNNELMGR Information ------
tunnelmgr Service:      Enabled
Tunnel Establishment:   Disabled
Tunnel IPSec:           Disabled
Tunnel Authentication:  Enabled
Tunnel Cipher:          Disabled
Tunnel Cipher Key Len:
Tunnel Forward Bcast:   Disabled
PMTU:                   Auto
PMTU Discovery:         Disabled
Node Affinity:          Disabled
Force Fragmentation:    Disabled
Offload:                Disabled
Dual Tunnels:           Disabled

Behavior Introduced After R5.2.2

DF          FF    PMTU Discovery   Packet > MTU
----------------------------------------
not set  disabled  disabled        fragment
not set  disabled  enabled         fragment
not set  enabled   disabled        fragment
not set  enabled   enabled         fragment
set      disabled  disabled        fragment
set      disabled  enabled         ICMP error + packet drop
set      enabled   disabled        fragment
set      enabled   enabled         fragment

Rolled-Back Behavior (Same as R5.2.1)

After review, Ruckus reverted the behavior to align with R5.2.1 logic:

DF         FF   PMTU Discovery   Packet > MTU
----------------------------------------
not set  disabled  disabled      fragment
not set  disabled  enabled       fragment
not set  enabled   disabled      fragment
not set  enabled   enabled       fragment
set      disabled  disabled      ICMP error + packet drop
set      disabled  enabled       ICMP error + packet drop
set      enabled   disabled      fragment
set      enabled   enabled       fragment

This ensures that when the DF bit is set and Force Fragmentation is disabled, oversized packets are dropped with an ICMP error instead of being fragmented.

Note: This change was made in ER-11149 after R5.2.2 and R6.1.

Article Number:
000012253

Updated:
January 30, 2026 09:49 AM (2 months ago)

Tags:
Configuration, Troubleshooting, Known Issues and Workarounds, SmartCell Gateway

Votes:
1

This article is:
helpful
not helpful

Working...Please wait

This is here to prevent you from accidentally submitting twice.

The page will automatically refresh.

Alert!!

Close