OK, I'm pretty sure that this is a pMTU-discovery problem. Use of tcpdump at either end shows that "large" packets (that would normally require fragmentation, ie larger than the MTU of the VPN tunnel (~1440 bytes?)) that have the "Don't Fragment" bit set don't make it through the tunnel - but neither does the GB send an ICMP 'Must Fragment', which would normally tell the pMTU-discovery algorithm on the host to decrease the MTU. As a result, the host just keeps resending until something times out.
It's my understanding that the GB (at one end or the other) should be issuing an ICMP must-fragment message, but isn't (or it is, but it's being internally filtered before it can get out). (and I'm aware of the MS05-019 issue - but this is between Linux boxen) -- Phil Dye, Technical Manager A L C H E M Y D I G I T A L Tel: +44 (0)23 8060 4080 http://www.alchemydigital.com/ > -----Original Message----- > From: Phil Dye [mailto:[EMAIL PROTECTED] > Sent: 16 May 2005 16:31 > To: [email protected] > Subject: [gb-users] VPN MTU > > I think I'm seeing weirdness with the MTU (or more likely, Path MTU > Discovery) across a GB-Flash<->GB1000 VPN. > > From either end to the Internet at large seems fine, with an > MTU of 1500 > not being fragmented (using an ICMP ping with a 1472 byte > payload). The > same test across the VPN gives me a payload of 1410 bytes, the > difference presumably being IPsec overhead. But the weird bit is that > I'm not getting the "must-fragment" errors; the packets are just being > silently dropped. > > Can anyone point me in the direction of what I should be checking...? > Specifically, what ICMP filters I should be using, and > applied to which > interfaces (preferably not on the VPN?)? > > Ta, > > -- > Phil Dye, Technical Manager > A L C H E M Y D I G I T A L > Tel: +44 (0)23 8060 4080 > http://www.alchemydigital.com/ > > ------------------------------------------------------ > To unsubscribe: [EMAIL PROTECTED] > For additional commands: [EMAIL PROTECTED] > Archive: http://archives.gnatbox.com/gb-users/ ------------------------------------------------------ To unsubscribe: [EMAIL PROTECTED] For additional commands: [EMAIL PROTECTED] Archive: http://archives.gnatbox.com/gb-users/
