Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Understanding Path MTU Discovery and how Juniper firewall devices can help minimize fragmentation.



Article ID: KB7049 KB Last Updated: 16 Apr 2013Version: 6.0
Juniper firewall devices help prevent fragmentation of large size datagrams.
  • Path MTU discovery = Path Maximum Transmission Unit (PMTU) Discovery.
  • As Referenced from RFC 1191.
  • "set flow path-mtu" enables the Firewall to support PMTU discovery.
  • Excessive fragmentation causes loss of networking efficiency.
  • Some firewalls will drop fragments.

Symptoms & Errors:
  • Understanding the role of Path MTU discovery and how the Firewall device can support it.


PMTU discovery attempts to prevent fragmentation from occurring.

Normally hosts send packets whose size is based on the MTU of the interface that the host is communicating on, for example 1,518 bytes for Ethernet. However, if the hosts are communicating over a non-local network such as the Internet, it is possible that there may be a link in-between whose MTU is less than 1518 bytes. In this case, the router connected to this link would fragment the packet to several smaller packets before forwarding the data over that link.

To avoid this packet fragmentation, the initiating host sends a regular packet whose size is based on its interface MTU, with the Don't Fragment (DF) flag set. This tells any intermediate router that it must not fragment this packet. If a router receiving this packet must fragment it in order to transmit it over a low MTU link, it drops the packet and sends an ICMP Destination Unreachable message to the originator. This warning message may also contain information specifying the MTU that the host must use in order for the packet to be forwarded over the low MTU link. The host now reduces its Path MTU estimate to the value specified in this warning; or, if no value was given, the host can iteratively try smaller MTU sizes. The host then resends the packet.

The packet may get through this time, or there may be an even smaller MTU link further downstream, in which case the router connected to it will send another warning, so the above process is repeated. Eventually, the host will find the smallest MTU in its path to the remote host, and use this value to avoid fragmentation.

Path MTUs can change over time, meaning that the packets may be re-routed over different links. Therefore the DF bit is always set, and the host will be notified if a new smaller MTU link is suddenly introduced into the path. Of course, the path MTU might increase as well - in this case the RFC allows for the host to periodically send a packet larger than the current path MTU  to see if it gets through.

Additional Information:

For more details check:  KB5040 - Is Path MTU supported on NS-5000 or ISG-2000 ?

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search