Re: DF bit - Dont Fragment
Stripping the DF Bit should be enough to solve this problem... as the routers will then fragment the packets as required. Or have I missed something? Andrew On 22.06.2004, at 09:54, Jean-Francois Dive wrote: Just to mention but when you have pmtu occuring in a vpn context, you have a problem if the lower mtu is in the tunneled packet path: the icmp will be sent to the originator of the encapsulated packet which is the vpn box which itself cant send it back to the client and so pmtu is borken. In ipsec, there is a way (which consist of maintaining an mtu value per outgoing SA), but for cipe i dont know how they deal with it. Another trick is to change the tcp mss value on the fly, --clamp-to-pmtu with iptables if i am right.
Re: DF bit - Dont Fragment
Just to mention but when you have pmtu occuring in a vpn context, you have a problem if the lower mtu is in the tunneled packet path: the icmp will be sent to the originator of the encapsulated packet which is the vpn box which itself cant send it back to the client and so pmtu is borken. In ipsec, there is a way (which consist of maintaining an mtu value per outgoing SA), but for cipe i dont know how they deal with it. Another trick is to change the tcp mss value on the fly, --clamp-to-pmtu with iptables if i am right. J. On Mon, Jun 21, 2004 at 04:35:25PM +0200, Andrew Miehs wrote: > Will have to try it again... > > The reason why Path MTU doesn't work, is that our F5s (BigIPs) seem to > have a broken implementation of NATing ICMP PMTU packets (at least when > using Aggregate ALL - OncConnect or SNAT) > Andrew > > > > My bet would be that someone is blocking icmp messages (you, your > > firewall, your ISP?). There's a really good explanation of PMTU at > > http://www.netheaven.com/pmtu.html that should explain all that for > > you. > > > > As someone else suggested you can lower the MTU and probably get around > > the problem but it would be better to try and figure out which router > > is blocking your PMTU attempts ... play with the -M option to ping (at > > least in iputils-ping from testing). > > > > Of course I've never used CIPE so I may be totally off base. > > -- > > Fraser Campbell <[EMAIL PROTECTED]> > > http://www.wehave.net/ Georgetown, Ontario, Canada > > Debian GNU/Linux > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED] > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- -> Jean-Francois Dive --> [EMAIL PROTECTED] I think that God in creating Man somewhat overestimated his ability. -- Oscar Wilde
Re: DF bit - Dont Fragment
Stripping the DF Bit should be enough to solve this problem... as the routers will then fragment the packets as required. Or have I missed something? Andrew On 22.06.2004, at 09:54, Jean-Francois Dive wrote: Just to mention but when you have pmtu occuring in a vpn context, you have a problem if the lower mtu is in the tunneled packet path: the icmp will be sent to the originator of the encapsulated packet which is the vpn box which itself cant send it back to the client and so pmtu is borken. In ipsec, there is a way (which consist of maintaining an mtu value per outgoing SA), but for cipe i dont know how they deal with it. Another trick is to change the tcp mss value on the fly, --clamp-to-pmtu with iptables if i am right. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: DF bit - Dont Fragment
Just to mention but when you have pmtu occuring in a vpn context, you have a problem if the lower mtu is in the tunneled packet path: the icmp will be sent to the originator of the encapsulated packet which is the vpn box which itself cant send it back to the client and so pmtu is borken. In ipsec, there is a way (which consist of maintaining an mtu value per outgoing SA), but for cipe i dont know how they deal with it. Another trick is to change the tcp mss value on the fly, --clamp-to-pmtu with iptables if i am right. J. On Mon, Jun 21, 2004 at 04:35:25PM +0200, Andrew Miehs wrote: > Will have to try it again... > > The reason why Path MTU doesn't work, is that our F5s (BigIPs) seem to > have a broken implementation of NATing ICMP PMTU packets (at least when > using Aggregate ALL - OncConnect or SNAT) > Andrew > > > > My bet would be that someone is blocking icmp messages (you, your > > firewall, your ISP?). There's a really good explanation of PMTU at > > http://www.netheaven.com/pmtu.html that should explain all that for > > you. > > > > As someone else suggested you can lower the MTU and probably get around > > the problem but it would be better to try and figure out which router > > is blocking your PMTU attempts ... play with the -M option to ping (at > > least in iputils-ping from testing). > > > > Of course I've never used CIPE so I may be totally off base. > > -- > > Fraser Campbell <[EMAIL PROTECTED]> > > http://www.wehave.net/ Georgetown, Ontario, Canada > > Debian GNU/Linux > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED] > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- -> Jean-Francois Dive --> [EMAIL PROTECTED] I think that God in creating Man somewhat overestimated his ability. -- Oscar Wilde -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: DF bit - Dont Fragment
Will have to try it again... The reason why Path MTU doesn't work, is that our F5s (BigIPs) seem to have a broken implementation of NATing ICMP PMTU packets (at least when using Aggregate ALL - OncConnect or SNAT) Andrew > My bet would be that someone is blocking icmp messages (you, your > firewall, your ISP?). There's a really good explanation of PMTU at > http://www.netheaven.com/pmtu.html that should explain all that for > you. > > As someone else suggested you can lower the MTU and probably get around > the problem but it would be better to try and figure out which router > is blocking your PMTU attempts ... play with the -M option to ping (at > least in iputils-ping from testing). > > Of course I've never used CIPE so I may be totally off base. > -- > Fraser Campbell <[EMAIL PROTECTED]> > http://www.wehave.net/ Georgetown, Ontario, Canada > Debian GNU/Linux > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED]
Re: DF bit - Dont Fragment
On June 21, 2004 09:50 am, Andrew Miehs wrote: > tried that... But that seemed just to disable PMTU Discovery, and not > disbale the 'DF' bit... (After the traffic between myself and the server > via a CIPE tunnel stopped working when the packets got tooo large) > - Or is there a bug in packet fragmentation in the linux kernel? Hmmm, I did try it hear and my outgoing packets lacked the DF bit as soon as I made that change. Replies are up to the other side of the connection so they may or may not set DF as far as I can tell. If large packets are being blocked then there is definitely a bug, whether it's in the Linux kernel (doubtful), cipe, your firewall (?) or in an upstream router is impossible for me to tell. My bet would be that someone is blocking icmp messages (you, your firewall, your ISP?). There's a really good explanation of PMTU at http://www.netheaven.com/pmtu.html that should explain all that for you. As someone else suggested you can lower the MTU and probably get around the problem but it would be better to try and figure out which router is blocking your PMTU attempts ... play with the -M option to ping (at least in iputils-ping from testing). Of course I've never used CIPE so I may be totally off base. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux
Re: DF bit - Dont Fragment
Hi! I had a similar Problem with a tunnel - I solved it by setting the MTU of the interface lower. The PMTU discovery didn't work in my case. rgds, j Andrew Miehs wrote: Hi Fraser, tried that... But that seemed just to disable PMTU Discovery, and not disbale the 'DF' bit... (After the traffic between myself and the server via a CIPE tunnel stopped working when the packets got tooo large) - Or is there a bug in packet fragmentation in the linux kernel? Regards -- Andreas John net-lab GmbH Luisenstrasse 30b 63067 Offenbach Tel: +49 69 85700331 http://www.net-lab.net
Re: DF bit - Dont Fragment
Hi Fraser, tried that... But that seemed just to disable PMTU Discovery, and not disbale the 'DF' bit... (After the traffic between myself and the server via a CIPE tunnel stopped working when the packets got tooo large) - Or is there a bug in packet fragmentation in the linux kernel? Regards Andrew > On June 21, 2004 07:36 am, Andrew Miehs wrote: > >> I can't find it How do I turn off the 'Don't Fragment' bit? >> without using IP Tables/ Chains? Is there a proc setting? or do I need >> to re-compile ther Kernel? and if so, where is the jumper? > > You're probably looking for /proc/sys/net/ipv4/ip_no_pmtu_disc > > -- > Fraser Campbell <[EMAIL PROTECTED]> > http://www.wehave.net/ Georgetown, Ontario, Canada > Debian GNU/Linux > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED]
Re: DF bit - Dont Fragment
Will have to try it again... The reason why Path MTU doesn't work, is that our F5s (BigIPs) seem to have a broken implementation of NATing ICMP PMTU packets (at least when using Aggregate ALL - OncConnect or SNAT) Andrew > My bet would be that someone is blocking icmp messages (you, your > firewall, your ISP?). There's a really good explanation of PMTU at > http://www.netheaven.com/pmtu.html that should explain all that for > you. > > As someone else suggested you can lower the MTU and probably get around > the problem but it would be better to try and figure out which router > is blocking your PMTU attempts ... play with the -M option to ping (at > least in iputils-ping from testing). > > Of course I've never used CIPE so I may be totally off base. > -- > Fraser Campbell <[EMAIL PROTECTED]> > http://www.wehave.net/ Georgetown, Ontario, Canada > Debian GNU/Linux > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: DF bit - Dont Fragment
On June 21, 2004 09:50 am, Andrew Miehs wrote: > tried that... But that seemed just to disable PMTU Discovery, and not > disbale the 'DF' bit... (After the traffic between myself and the server > via a CIPE tunnel stopped working when the packets got tooo large) > - Or is there a bug in packet fragmentation in the linux kernel? Hmmm, I did try it hear and my outgoing packets lacked the DF bit as soon as I made that change. Replies are up to the other side of the connection so they may or may not set DF as far as I can tell. If large packets are being blocked then there is definitely a bug, whether it's in the Linux kernel (doubtful), cipe, your firewall (?) or in an upstream router is impossible for me to tell. My bet would be that someone is blocking icmp messages (you, your firewall, your ISP?). There's a really good explanation of PMTU at http://www.netheaven.com/pmtu.html that should explain all that for you. As someone else suggested you can lower the MTU and probably get around the problem but it would be better to try and figure out which router is blocking your PMTU attempts ... play with the -M option to ping (at least in iputils-ping from testing). Of course I've never used CIPE so I may be totally off base. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: DF bit - Dont Fragment
Hi! I had a similar Problem with a tunnel - I solved it by setting the MTU of the interface lower. The PMTU discovery didn't work in my case. rgds, j Andrew Miehs wrote: Hi Fraser, tried that... But that seemed just to disable PMTU Discovery, and not disbale the 'DF' bit... (After the traffic between myself and the server via a CIPE tunnel stopped working when the packets got tooo large) - Or is there a bug in packet fragmentation in the linux kernel? Regards -- Andreas John net-lab GmbH Luisenstrasse 30b 63067 Offenbach Tel: +49 69 85700331 http://www.net-lab.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: DF bit - Dont Fragment
On June 21, 2004 07:36 am, Andrew Miehs wrote: > I can't find it How do I turn off the 'Don't Fragment' bit? without > using IP Tables/ Chains? Is there a proc setting? or do I need to > re-compile ther Kernel? and if so, where is the jumper? You're probably looking for /proc/sys/net/ipv4/ip_no_pmtu_disc -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux
Re: DF bit - Dont Fragment
Hi Fraser, tried that... But that seemed just to disable PMTU Discovery, and not disbale the 'DF' bit... (After the traffic between myself and the server via a CIPE tunnel stopped working when the packets got tooo large) - Or is there a bug in packet fragmentation in the linux kernel? Regards Andrew > On June 21, 2004 07:36 am, Andrew Miehs wrote: > >> I can't find it How do I turn off the 'Don't Fragment' bit? >> without using IP Tables/ Chains? Is there a proc setting? or do I need >> to re-compile ther Kernel? and if so, where is the jumper? > > You're probably looking for /proc/sys/net/ipv4/ip_no_pmtu_disc > > -- > Fraser Campbell <[EMAIL PROTECTED]> > http://www.wehave.net/ Georgetown, Ontario, Canada > Debian GNU/Linux > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: DF bit - Dont Fragment
On June 21, 2004 07:36 am, Andrew Miehs wrote: > I can't find it How do I turn off the 'Don't Fragment' bit? without > using IP Tables/ Chains? Is there a proc setting? or do I need to > re-compile ther Kernel? and if so, where is the jumper? You're probably looking for /proc/sys/net/ipv4/ip_no_pmtu_disc -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]