Hello Marcel, Have you tried to change the MTU size on the Nokia Machine?
The MTU size can be changed on any interface using the command "ifconfig". To make the change permanent, the command must be entered into the "rc.local" file. The syntax used to change the MTU is: ifconfig interface mtu x (where x is the new mtu size) The rc.local file is located in /var/etc. If the file is not there, simply create a file named rc.local in this directory. NOTE:Changing the MTU is not supported, however, the above procedure does work. After making the change with ifconfig, Voyager will still report the maximum MTU supported by the interface. This is normal. To see the actual MTU size being used, run ifconfig -a Regards, Paul -----Original Message----- From: Marcel Cook [mailto:[EMAIL PROTECTED] Sent: 08 December 2003 10:44 To: [EMAIL PROTECTED] Subject: [FW-1] MTU issue routing traffic via Cisco GRE tunnel to Nokia/Check Point firewall We have been suffering an issue to do with Checkpoint, Cisco GRE tunnels and MTU size for a number of months now, and I thought it might be worth posting a description of our problem on this list in case someone is able to help. We feel that we have exhausted most avenues of trying to troubleshoot this issue. What we are trying to do is route Internet traffic for remote branch office sites via our central office's Internet connection. As an example, we have a 2Mb AT&T Internet connection in our Paris office, connected to a 15Mb AT&T Internet connection in London. We run a Cisco GRE tunnel between a 3640-VPN/MP router in Paris and a 7206VXR/G1 router in London. In London, we also have a Nokia IP530 appliance running a fresh install of Check Point NG:AI, connected to a 10Mb PSINet Internet connection. The Cisco GRE tunnel has a MTU size of 1420 set at both ends for it's tunnel interfaces. This is the highest we can use based on the encryption/encapsulation chosen in order to facilitate protocols such as OSPF from working over the link. All other interfaces along the way (router ethernets and Nokia interfaces) are set the default 1500. The problem is that users in the Paris branch office are unable to view _some_ websites. Examples of ones that don't work are www.yahoo.fr and www.adp.fr. The majority work fine, including www.cisco.com and www.google.com. When running a tcpdump on the IP530 in London (on the external interface), during a session from Paris to one of the offending websites, the following is logged: 16:36:21.025051 O 154.38.47.5 > 194.3.182.10: icmp: 154.38.47.5 unreachable - need to frag (mtu 1420) 16:36:27.586541 I 194.3.182.10.80 > 154.38.47.5.41571: . 1:1461(1460) ack 249 win 63992 (DF) 16:36:27.588356 O 154.38.47.5 > 194.3.182.10: icmp: 154.38.47.5 unreachable - need to frag (mtu 1420) 16:36:40.711277 I 194.3.182.10.80 > 154.38.47.5.41571: . 1:1461(1460) ack 249 win 63992 (DF) 16:36:40.713043 O 154.38.47.5 > 194.3.182.10: icmp: 154.38.47.5 unreachable - need to frag (mtu 1420) We have also noticed that the packet size of traffic received from offending sites seems to be 1514 bytes. For sites that work, i.e. cisco.com, it seems to be 1486 bytes. We have tried lots of things on the GRE tunnel configuration on our Cisco routers, including settings to ignore the Don't Fragment (DF) bit, and to force different MTU sizes. A long-running Cisco TAC case has not suggested any way around our problem. Can anyone explain the cause of this problem, and suggest anything that can be done on our Nokia/Check Point configuration to prevent this occurring? Out of interest, when we route the Internet traffic past the Nokia IP530 firewall and onto an Internet connection at another downstream site, which uses a Cisco PIX firewall instead, the remote Paris users ARE able to browse the offending websites successfully. This indicates that it must be something to do with the Nokia/Check Point installation. Any comments or suggestions would be greatly received. Thanks, Marcel -- "NOTICE: The information contained in this electronic mail transmission is intended by Convergys Corporation for the use of the named individual or entity to which it is directed and may contain information that is privileged or otherwise confidential. If you have received this electronic mail transmission in error, please delete it from your system without copying or forwarding it, and notify the sender of the error by reply email or by telephone (collect), so that the sender's address records can be corrected." ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= Please note that: 1. This e-mail may constitute privileged information. If you are not the intended recipient, you have received this confidential email and any attachments transmitted with it in error and you must not disclose, copy, circulate or in any other way use or rely on this information. 2. E-mails to and from the company are monitored for operational reasons and in accordance with lawful business practices. 3. The contents of this email are those of the individual and do not necessarily represent the views of the company. 4. The company does not conclude contracts by email and all negotiations are subject to contract. 5. The company accepts no responsibility once an e-mail and any attachments is sent. http://www.activis.com This annotation was added by the e-scan service. http://www.activis.com ---------------------------------------------------------------------------------- This message has been checked for all known viruses by e:)scan. For further information please contact [EMAIL PROTECTED] ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
