Was this changed acknowledged by Check Point, or something you figured out and implemented?
Thanks, Ben > -----Original Message----- > From: Mailing list for discussion of Firewall-1 [mailto:FW-1- > [EMAIL PROTECTED] On Behalf Of stromsec > Sent: Thursday, April 12, 2007 3:53 PM > To: [EMAIL PROTECTED] > Subject: Re: [FW-1] MTU problems after upgrade > > Hi, > > I have had the same problem, and there are a change between R55 and > NGX, in > R55 the icmp "Dont fragment" message was allowed even when recieved > from an address not defined in antispoofing. Check for packets droped > due to antispoof, the icmp message will come from a routers link > address that now in NGX needs to be included in aspoof. > > hope this helps. > > Br > Stromsec > > > > 2007/4/12, Torkel Mathisen <[EMAIL PROTECTED]>: > > > > Hi, > > > > We recently upgraded our firewalls from R55 to R61/62. We also moved > > from Solaris to SPLAT in the same process. > > > > After the upgrade we got lots of MTU problems. Traffic that worked > > before the upgrade now got blocked. Usually with "Invalid Sequence > > Number" and "Bad Ack Number". > > > > We found out that most of this was because somewhere from source to > > destination the MTU was configured lower than 1500. > > > > Like this: > > > > client -> server TCP D=1443 S=39048 Ack=1315177946 > > Seq=425805031 Len=1460 Win=49640 > > client -> server TCP D=1443 S=39048 Push Ack=1315177946 > > Seq=425806491 Len=266 Win=49640 > > server -> client ICMP Destination unreachable (Needed to > > fragment: next hop MTU = 1440) > > > > We have fixed this by changing the MTU setting on the servers. > However > > I don't know if this is such a good idea as it will affect all > traffic > > to and from the server. > > > > Why this worked on our old firewalls I can't say really, but I think > > they where just badly configured. > > > > So my question is: > > > > What is the best way of dealing with this kind of scenario? > > > > Let's say you have a WAN link to a customer where the MTU is 1440 and > > your server/client is trying to send packets with 1460 bytes. > > > > > > Regards, > > Torkel > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, send an email to > > [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your subscription options, > > email [EMAIL PROTECTED] > > ================================================= > > > > ================================================= > To set vacation, Out-Of-Office, or away messages, send an email to > [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your subscription options, > email [EMAIL PROTECTED] > ================================================= ----------------------------------------- The information contained in this email is confidential and is intended solely for the use of the person identified and intended as the recipient. If you are not the intended recipient, any disclosure, copying, distribution, or taking of any action in reliance on the contents is prohibited. If you receive this message in error, contact the sender immediately and delete it from your computer. Personal e-mails are restricted by PSECU policy. As such, PSECU specifically disclaims any responsibility or liability for any personal information or opinions of the author expressed in this email. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
