On Tue, 16 Jan 2001, Miguel Martinez wrote:
> Hi!
>
> I hope someone can help me. We are running a web based application that
> makes queries to an Oracle server in a remote network over a WAN with a VPN
> tunnel made by the routers. The problem is that the web based application
> is sending packets with the "don't fragment" bit on. So, when the routers
Setting DF is completely normal for systems that expect path MTU discovery
to happen. Is it possible that the ICMP messages aren't making it back
for fragmentation to occur due to filtering? That's a common occurance
with sites that block ICMP. I recall seeing a lot of PMTU issues with
IPSEC tunnels before though- so it could just be a good idea to reset the
MTU on your interfaces. Some DHCP implementations make this easy if
you're not staticly assigning addresses.
> encrypt the packets they can't fragment the big ones and drops them. I
> don't know where this fragment bit came from or who established it? The web
> based application was developed in-house.
It's normally done by the IP stack. On Linux boxen I think it's a kernel
parameter for PMTU Discovery- I recally seeing it in the 2.0 config
stuff, but I haven't looked recently. Not sure if you can turn off PMTU
on Windows boxes, but you can reset interface MTUs, or at least there's a
registry key for the MTU for each interface.
> If someone can bring me some clue, I will really appreciate it!
> Thanks for your help.
Hope at least some of this helps.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
