Dropped Path MTU Discovery messages are shown in the SonicWall Logs

Overview/Topic:

Path MTU Discovery ICMP message is a method by which network devices dynamically discovers the MTU of an arbitrary network path. It is usually sent to a node by a router when that node is using packets that are too large to be passed by the router. When the node receives this message from the router, it will usually automatically decrease the size of the packets it is sending out as specified in the message.

What is probably happening here is that a node on your SonicWall’s LAN is trying to connect to a server on the Internet, but the packets it is sending out are too large to be passed by some router between the SonicWall and the server. When the router tries to send the Path MTU Discovery message back to the node the SonicWall blocks it because the ICMP packet is a new connection, not part of the connection originated by the LAN node.

The SonicWall does not honor or pass to the LAN MTU Path Discovery messages because there is no way to authenticate them and they can be used as a form of attack. For example, someone can initiate a denial of service attack against an unprotected server by simply sending a Path MTU Discovery packet to it that directs the server to limit packet size to 5 bytes instead of the normal 1500 bytes. This will slow the server down to a crawl because it has to process the same amount of data into many more packets, creating much overhead.