George Borisov wrote: > Matt Ryan wrote: >> Only if you have pMTU running successfully end-to-end. That requires >> ICMP working end-to-end which I think I read was a problem with your >> set-up... > > What's the best way to test this sort of stuff? > > I must admit I am still confused. I reduced the MTU on both > internal and external interfaces of the firewall, but I am still > having problems. (Client PCs in SA have trouble connecting to the > Exchange server in the UK; reducing the MTU on the client PC > fixed it.) > > In addition, reducing the MTU on the internal interface broke > access to some websites (e.g. microsoft.com :-p) How does that > one work? 8-/
Microsoft is notorious for acting badly in the scenario where the end-to-end MTU is less than 1500 bytes. That said, poor practise on setting up firewall rules (blocking all ICMP) is just as bad as pMTU (http://en.wikipedia.org/wiki/PMTU) then also fails. To avoid any problems you need to have a end-to-end connection that can manage 1500 bytes packets. If you can't do that then you need to either use a tunnelling technique that allows transparent segmentation/reassembly of packets that exceed MTU (Cisco routers will allow this with GRE and perhaps L2TPv3) or lower the MTU on all clients. Testing using 'ping -s 1500 <dest_ip>' is the best option to check everything will work. Matt. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]