• Cisco Security Cloud Control Management: Cloud-Delivered Firewall Management Center for Government
  • Onboard Devices to Cloud-Delivered Firewall Management Center
  • System Settings
  • Optimize Firewall Performance with AIOps
  • Health and Monitoring
  • Tools
  • Reporting and Alerting
  • Event and Asset Analysis Tools
  • Events and Assets
  • High Availability and Scalability
    • Multi-Instance Mode
    • Logical Devices on the Firepower 4100/9300
    • High Availability for Devices
    • Clustering: Secure Firewall 3100/4200/6100
      • About Clustering for the Secure Firewall 3100/4200/6100
      • Licenses for clustering
      • Requirements and Prerequisites for Clustering
      • Guidelines for Clustering
      • Configure Clustering
        • About Cluster Interfaces
          • Cluster Control Link
            • Cluster Control Link Traffic Overview
            • Cluster Control Link Interfaces and Network
            • Size the Cluster Control Link
            • Cluster control link MTU ping testing
            • Cluster Control Link Redundancy
            • Cluster Control Link Reliability
          • Spanned EtherChannels (Recommended)
          • Individual Interfaces (Routed Firewall Mode Only)
        • Cable and Add Devices to the Cloud-Delivered Firewall Management Center
        • Create a Cluster
        • Configure Interfaces
        • Configure Cluster Health Monitor Settings
        • Configure Distributed Site-to-Site VPN
      • Manage Cluster Nodes
      • Monitoring the Cluster
      • Troubleshooting the Cluster
      • Examples for Clustering
      • Reference for Clustering
      • History for Clustering
    • Clustering: Private Cloud
    • Clustering: Public Cloud
    • Clustering: Firepower 4100/9300
  • Interfaces and Device Settings
  • Routing
  • Network Policies
  • Secure Connections
  • Zero Trust Network Access
  • Access Control Policy Basics
  • Decryption Policies and Encrypted Visibility for Access Control
  • Identity Policies for Access Control
  • Advanced Policies and Settings for Access Control
  • Custom Intrusion Policies for Access Control
  • Network Discovery
  • Objects and Certificates
  • Reference

Cluster control link MTU ping testing

Control node ping test

When a node joins the cluster, the control node sends a ping with a payload size of twice the MTU. This process tests the network's ability to handle packet fragmentation because the underlying IP layer will fragment packets that exceed the MTU limit.

A successful ping confirms that the network path supports proper fragmentation and that the cluster control link can reliably process traffic at the configured MTU size.

If the ping fails, view the following messages:

  • show cluster history —Event: CCL MTU test to unit name failed

  • Console warning—WARNING: Unit name is not reachable in CCL jumbo frame ICMP test, please check cluster interface and switch MTU configuration

Even if the ping fails, the node is allowed to join the cluster. In this case, you need to resolve the MTU mismatch as soon as possible.

Data node ping test

When a node joins the cluster, the joining node checks MTU compatibility by sending a ping to the control node with a packet size matching the cluster control link MTU. If the initial ping fails, the node tries a ping using a smaller packet size (the MTU divided by 2, then by 4, then by 8) until a ping succeeds.

If the ping fails, view the following messages:

  • show cluster info trace —Warning: CCL MTU is configured to cfg_mtu_size. However CCL MTU test to unit name failed with size larger_test_size (passed with size smaller_test_size). Please check switch MTU configuration.

    To easily view this warning, filter on the show output using show cluster info trace | incl MTU .

  • show cluster history , Cloud-Delivered Firewall Management Center notification—Warning: MTU mismatch detected on the CCL interface. Please ensure that the MTU setting on the connected switch matches the firewall's configured MTU (cfg_mtu_size).

  • Console warning—WARNING: Unit name is not reachable in CCL jumbo frame ICMP test, please check cluster interface and switch MTU configuration

Even if the ping fails, the node is allowed to join the cluster. In this case, you need to resolve the MTU mismatch as soon as possible.

Copyright © 2026, Cisco Systems, Inc. All rights reserved.