Make sure your router interfaces aren't configured with "no icmp unreachables" make sure any implied rules dealing with ICMP aren't blocking icmp "packet too big" messages. IPSO isn't path mtu compliant, but this isn't really the problem. Almost every time this question is asked, it ends up being solved because ICMP error messages are blocked somewhere.
Mitchell -- http://www.securestandard.com/ Directory of Information Security White Papers > What ICMP codes? Who sends them? The client, the enforcement module, the > host behind the enforcement module? Thanks for the help. > > -Aaron > > -----Original Message----- > From: "Rodriguez Quintero, Juan Diego, SYNAPSIS Per�" > [mailto:[EMAIL PROTECTED] > Sent: Friday, January 30, 2004 10:06 AM > To: [EMAIL PROTECTED] > Subject: RE: [FW-1] MTU Path Discovery - Not working on NG-AI > > Have you checked your router...? you may be blocking some icmp codes there. > > > > -----Mensaje original----- > De: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > Enviado el: Viernes, 30 de Enero de 2004 11:53 a.m. > Para: [EMAIL PROTECTED] > Asunto: [FW-1] MTU Path Discovery - Not working on NG-AI > > > We use R54 Build 132 clients, against a R54 gateway (no HFA's)/ IPSO 3.7 > Build 23. I have read several threads where people say MTU should not be an > issue with SecuRemote on NG-AI, yet we continually have users that have to > run MTUAdjust, in order to connect to certain apps through the VPN. Could > we be blocking something, so MTU Path Discovery cannot work properly? Just > trying to kill one more mystery. Any help would be greatly appreciated. > > > > -Aaron > > > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > > -- Mitchell Rowton CISSP, CCNP, CCDP, CCSA, NSA-IAM, Security+, Network+ Attack Prevention - http://www.attackprevention.com/ Information Security News - Articles - WhitePapers - Policies ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
