-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Erich Titl wrote:
| Hi folks | | As the subject suggests, this is a bit off topic, but as a LEAF system | is involved please excuse me. | I am baffled by the behaviour of a M$ application (IIS) on a customer | network. | This network is a hub and spoke structure built with Bering glibc | routers. Some of the locations use DSL, others cable modem. The spokes | are IPSEc connections to the hub network. In The hub network there is a | IIS server with a WEB application. | A client system on one of the client networks requests a page (or rather | a web based application) on the server. I can observe the normal packet | flow between client and server until....the server tries to send a | packet of size 1452 bytes to the client (with DF bit set). I _believe_ | IPSEC decides that this packet is too large to be passed to the other | side so the Bering system sends an ICMP fragmentation needed package to | the server with a size proposal of 1319 bytes. | | I would expect the server to reduce the packet size accordingly but | helas it does not. Am I just naive to expect M$ to follow or is it | compulsory only to respect ICMP? You have to have Path MTU discovery enabled: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/randz/protocol/path_mtu_discovery.asp ...and you have to enable the appropriate ICMP message to pass through all routers involved (many folks just 'black hole' all ICMP traffic, and assume there are no side effects, like broken Path MTU discovery). NOTE: The MS page above indicates Microsoft is doing the proper thing with Path MTU discovery, but that's for server 2003. IIRC, you had to explicitly enable PMTU discovery for older (ie: 2K & maybe XP) Microsoft systems (motto: We can steal^h^h^h^h^h appropriate the BSD networking stack, but we still don't know how to do TCP/IP...besides, who uses a WAN!?!). You can find more info in the OpenS/WAN documentation, or just google for "path mtu". There are also various ways to work around broken Path MTU discovery with settings in your ipsec.conf file. - -- Charles Steinkuehler [EMAIL PROTECTED] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFCwax/LywbqEHdNFwRAtmwAKDMW2E65gZ1n5zYDTpGOiW1ls6iHgCg7fph IdvZ2fkHHaCRq3ZWKKgsFAc= =e2p7 -----END PGP SIGNATURE----- ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click ------------------------------------------------------------------------ leaf-user mailing list: [email protected] https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
