{
  "id": "networking/vlan-mtu-mismatch",
  "signature": "ICMP: Frag needed but DF set for packet size 1500 on vlan100",
  "signature_zh": "ICMP：需要分片但设置了DF标志，数据包大小1500，VLAN100",
  "regex": "ICMP: Frag needed and DF set.*packet size \\d+ on vlan\\d+",
  "domain": "networking",
  "category": "network_error",
  "subcategory": null,
  "root_cause": "A packet with the Don't Fragment (DF) flag set exceeds the MTU of a VLAN interface (e.g., 1400 due to QinQ or MPLS overhead), causing the router to send an ICMP Fragmentation Needed message, but the sender ignores it, leading to a black hole.",
  "root_cause_type": "generic",
  "root_cause_zh": "设置了不分片（DF）标志的数据包超过了VLAN接口的MTU（例如由于QinQ或MPLS开销导致MTU为1400），路由器发送ICMP需要分片消息，但发送方忽略该消息，导致通信黑洞。",
  "versions": [
    {
      "version": "Linux kernel 5.10-6.8",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "Cisco IOS XE 17.x",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "Juniper Junos 21.x-23.x",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "Nginx 1.24-1.26",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "HAProxy 2.8-3.0",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "Increasing MTU on the VLAN interface to 1500 without adjusting underlying physical links",
      "why_fails": "The physical path (e.g., MPLS or QinQ) adds headers, so the actual MTU remains lower; increasing VLAN MTU alone causes fragmentation at lower layers or silent drops.",
      "fail_rate": 0.85,
      "condition": "",
      "sources": []
    },
    {
      "action": "Disabling DF flag on all TCP packets using iptables rules",
      "why_fails": "Many applications (e.g., NFS, IPsec) require DF for PMTUD; disabling it can cause path MTU discovery failure and performance degradation.",
      "fail_rate": 0.7,
      "condition": "",
      "sources": []
    },
    {
      "action": "Ignoring the error and assuming it's a transient network issue",
      "why_fails": "The error persists and causes intermittent timeouts for large-file transfers or streaming, leading to user complaints and retransmission storms.",
      "fail_rate": 0.9,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "Reduce the TCP MSS on the server to account for VLAN overhead: run `ip link set dev eth0 mtu 1400` on the server, then adjust MSS clamping via iptables: `iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu`",
      "success_rate": 0.85,
      "how": "Reduce the TCP MSS on the server to account for VLAN overhead: run `ip link set dev eth0 mtu 1400` on the server, then adjust MSS clamping via iptables: `iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu`",
      "condition": "",
      "sources": []
    },
    {
      "action": "Configure MSS clamping on the router for the VLAN: on Cisco, `ip tcp adjust-mss 1360` on the VLAN interface; on Linux, use `ebtables` or `iptables` to rewrite MSS.",
      "success_rate": 0.8,
      "how": "Configure MSS clamping on the router for the VLAN: on Cisco, `ip tcp adjust-mss 1360` on the VLAN interface; on Linux, use `ebtables` or `iptables` to rewrite MSS.",
      "condition": "",
      "sources": []
    },
    {
      "action": "Increase the MTU on the entire path (e.g., set jumbo frames on switches and routers) if the infrastructure supports it, but verify end-to-end consistency.",
      "success_rate": 0.7,
      "how": "Increase the MTU on the entire path (e.g., set jumbo frames on switches and routers) if the infrastructure supports it, but verify end-to-end consistency.",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "Reduce the TCP MSS on the server to account for VLAN overhead: run `ip link set dev eth0 mtu 1400` on the server, then adjust MSS clamping via iptables: `iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu`",
    "Configure MSS clamping on the router for the VLAN: on Cisco, `ip tcp adjust-mss 1360` on the VLAN interface; on Linux, use `ebtables` or `iptables` to rewrite MSS.",
    "Increase the MTU on the entire path (e.g., set jumbo frames on switches and routers) if the infrastructure supports it, but verify end-to-end consistency."
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://datatracker.ietf.org/doc/html/rfc1191",
  "official_doc_section": null,
  "error_code": "EMSGSIZE",
  "verification_tier": "ai_generated",
  "confidence": 0.85,
  "fix_success_rate": 0.8,
  "resolvable": "partial",
  "first_seen": "2024-03-15",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}