Look for an abundance of fragmented packets on your firewall interface w/tcpdump.
Some applications set the "Don't Fragment" bit on certain packets. When the IPSEC headers are added onto the already large packet, the packet basically requires fragmentation in order to pass. When Check Point creates the IPSEC packet, the Don't Fragment bit it passed onto the new packet. The end result, a packet that requires fragmentation to pass, but has the Don't Fragment bit set, so can't be fragmented. Packet gets dropped. You can force FireWall-1 to clear the Don't Fragment bit by setting the fw_ipsec_dont_fragment kernel variable as follows: On Solaris machines, add the following line to the bottom of the /etc/system file and reboot: set fw:fw_ipsec_dont_fragment=0x0 To make this change without rebooting: echo "fw_ipsec_dont_fragment?w 0x0" | adb -w -k /dev/ksyms /dev/mem On an Nokia IPSO system (VPN-1 Appliance or Nokia IPxxx), you will need to get the 'modzap' utility from Resolution 1261 in Nokia's Knowledge Base. You can then use the following command line to modify the fwhmem parameter and reboot the system: # modzap -s _fw_ipsec_dont_fragment $FWDIR/modules/fwmod.o 0x0 On Linux, add the following to $FWDIR/boot/modules/fwkern.conf and restart FireWall-1: fw_ipsec_dont_fragment=0 http://www.phoneboy.com -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED]] On Behalf Of <Aaron Reynolds> Sent: Monday, January 27, 2003 12:56 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Win XP - SecuRemote - Outlook - SLOW!!! Could be fragmentation. Is this behind a DSL router? -Aaron -----Original Message----- From: Tice, Jeff (ADM) [mailto:[EMAIL PROTECTED]] Sent: Monday, January 27, 2003 9:19 AM To: [EMAIL PROTECTED] Subject: [FW-1] Win XP - SecuRemote - Outlook - SLOW!!! Hi! Home: Win XP Pro sp1 Outlook XP (or 2000) SecuRemote bld 4200 (FWZ) Office: Win NT 4.0sp6a FW-1 4.1sp6 Situation - Takes exceptionally long (3-4mins) time to log into NT domain at the office from home ** Old WinME machine (SecuRemote 4186) took about 10 secs Once logged in, everything "inside" the domain works great - EXCEPT Outlook (5 mins to open) ** Old WinME machine took about 15 secs to open and use Hosts & Lmhosts file have internal IP of Exchange (5.5sp4) server listed DNS settings options are presented differently than ME (have tried varios combos) Any ideas? Thanks! - Jeff Jeff Tice Director of Technology Hickory Public Schools (828) 312-0717 - voice -------------------------------------------------------- Note: This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Wang Trading LLC and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. --------------------------------------------------------- ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
