Do you have to change the default MTU size of Windows TCP stack from1500 to lower than 1400 in your environment in order to optimize packet sizes for each medium too?

We do not modify the Windows stack. We have, however, modified the MTU size to be below 1400 in order to optimize some file replication we are doing.

Is it possible to attach a copy of the wireshark capture when managing AMT?

I will have to clear it through our security team, but possibly. I will get back to you.

Also what is the version of AMT and manufacture and model of the vPro system?

We are on firmware version 5.0.1.1111 as supplied by Dell for the Optiplex 960.

Was system provisioned with use of Provisioning Certificate, PID/PPS, or simply in non-secure manner?

PID/PPS

Hi Jason,

When you provisioned the system, did you choose the option "Do not respond to ping" or "Ping Disabled" as part of the vPro provisioning profile? If so that is more likely the root cause of your problem. Currently any version of AMT below 5.1, does not support PMTU (Path discovery MTU) when the Ping to vPro option is disabled. PMTU relies on ICMP to negotiate the right MTU size between two network devices and disabling Ping, blocks ICMP traffic. This issue does not impact the provisioning of vPro system as "Ping Disabled" option comes to play after provisioning completed. If you systems are all AMT 5.x, the best is to work with Dell to get AMT 5.1.x firmware update and upgrade all systems. Alternative is to keep the Ping to vPro option enabled. If you have any system with AMT version 4.x or lower and you do not wish to keep the Ping to vPro option as enabled, let us know so we look into a better solution.

Regards,

Ali

Ali,

I do not have the option "Do not respond to ping" or Ping Disabled" set. I double checked that the option was not enabled on one of my test systems by browsing to the HTTPS page and verifying that "Respond to Ping" is selected in the "Network Settings" section.

I will go ahead and get the 5.1.x firmware update and let you know if that makes any difference. If you have any other suggestions, let me know.

Thanks,

Jason,

Then it seems like AMT firmware below 5.1 version does not support Path Discovery MTU (PMTU) regardless of the ping option settings in the firmware. Please update your system with 5.1 firmware version and let me know the result to follow up with developers.

Thanks

Hi Jason,

I confirmed with team that ICMP is filtered as long as host OS is up and running for all AMT versions below 5.1. Therefore PMTU that relies on ICMP will fail. This issue is fixed in AMT 5.1 version. Would it be possible to test the AMT use cases on a system that host OS is not running? It's easier to boot the system to a non-bootable CD or simply disconnect the hard drive cable. We expect to see different result as ICMP is no longer filtered in this scenario. Let me know what you will find.

Thanks,

I am testing with the 5.1 firmware upgrade today. I will also run the test without the OS loaded to see how it behaves.

What about 4.0 versions and below? Will there or is there a firmware update available to include the fix for PMTU filtering? I have quite a few AMT 3.0 PC's out there as well.

Thanks Jason. Let me know what you will find. At this point there is no plan to address this issue for legacy firmware versions but if we can justify the effort, team will lookinto it. I will communicate your requirement to team for the follow up.

Regards,

Hi Jason,

Did you try 5.1 firmware and/or AMT OOB use cases on a system with no OS?

Regards,

Ali,

Sorry for the delay in response. Here are the tests I ran. The workstations were already provisioned prior to the test.

No

So, it would appear that the new firmware (5.1) is working in our environment!! I didn't, however, get the same results between a 5.0 and 3.0 firmware when the OS wasn't loaded. 3.0 worked but 5.0 didn't. Not sure what that was about. Maybe I did something wrong...I didn't spend too much time troubleshooting.

We would definitely be very appreciative if the issue could be addressed in legacy firmware as well (specifically 3.0 for us). We have a couple hundred AMT 3.0 PC's already in use (vPro currently disabled) as well as some already purchased that have not yet been deployed. It would be great to be able to get vPro working on them as well.

Thanks again for your help!

Jason,

Glad to see 5.1 firmware update resolved your outstanding issue with PMTU. I shared your input with Engineering team and informed them about your requirement for a patch on AMT 3.x version to support PMTU.

Best Regards,

Ali,

Is there a more formal process I can go through to officially request the PMTU issue be resolved in the 3.0 firmware version? It would be very helpful in our environment if we could get the 3.0 working.

Thanks!

Hi Jason,

I forwarded your request the same day you posted your message to follow up but unfortunately have not heard back from anyone. I see due to the complexity of changes on legacy firmware, the effort may require serious business justification. Sorry that I have been much of help here. If you feel you need to pursue the issue, please explore the official channels.

Regards,