Re: [OpenAFS] OpenAFS, Cisco VPN and MAC OS and mtu
Jeffrey Altman wrote: Kim Kimball wrote: Douglas E. Engert wrote: Kim Kimball wrote: Have you tried setting MTU on the fileserver command line instead? No, and I don't want to. Our problem is with just a few clients using VPNs I don't want to slow everyone else down. Didn't for us, couldn't be measured to any significance. YMMV Kim: Your issue was slightly different in that in your case you had old Transarc clients that could not be modified in any way. A server only solution was the only thing that could work. Jeffrey Altman Hi Jeffrey, Thanks for the reminder. I'd forgotten. And it's still the case that we're running antique clients, probably forever or until ... Kim ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] OpenAFS, Cisco VPN and MAC OS and mtu
Kim Kimball wrote: > Douglas E. Engert wrote: >> >> >> Kim Kimball wrote: >>> Have you tried setting MTU on the fileserver command line instead? >> >> No, and I don't want to. Our problem is with just a few clients using >> VPNs >> I don't want to slow everyone else down. >> > Didn't for us, couldn't be measured to any significance. > > YMMV Kim: Your issue was slightly different in that in your case you had old Transarc clients that could not be modified in any way. A server only solution was the only thing that could work. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature
Re: [OpenAFS] OpenAFS, Cisco VPN and MAC OS and mtu
Douglas E. Engert wrote: Kim Kimball wrote: Have you tried setting MTU on the fileserver command line instead? No, and I don't want to. Our problem is with just a few clients using VPNs I don't want to slow everyone else down. Didn't for us, couldn't be measured to any significance. YMMV That's what we've done, for the same reason. It has worked, and we don't have to fiddle with each client. The negotiation between AFS client and fileserver for MTU size is "fileserver wins." I got a mod working over the weekend, on Ubuntu (openafs 1.4.7) and MacOS 10.4 with OpenAFS 1.4.10, that adds a -rxmaxmtu option to afsd. I am putting final touches on it today. And we'll use it to good advantage, as it is of course a better solution for non VPN users, as you note. Kim Kimball Douglas E. Engert wrote: We are having problems with Mac OS 10.4 and 10.5 using Cisco VPN AFS can become unusable. Mac 10.4 is running OpenAFS 1.4.8 for sure. I think the Mac 10.5 is running OpenAFS 1.5.59. Using rxdebug and looking at the natMTU parameter, on most Unix systems this is 1444,(1500 - 56) as expected. On Windows systems this is usually 1260. And on MAC it is 1444. Even if I set the interface mtu 1244, and reboot the MAC, rxdebug shows the interface is using 1244 but rxdebug continues to show a natMTU = 1444. as though it still assumed the mtu was 1500. So it looks like the MAC client is not getting the existingMTU from the OS in util/netutils.c The AFS client on Windows has the RxMaxMTU (1244 appears to be the best setting). Is there any equivelent option for the MAC? Any thoughts on this? ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] OpenAFS, Cisco VPN and MAC OS and mtu
Jeff Blaine wrote: FWIW, this appears to be the same problem I reported in April, but for Windows. https://lists.openafs.org/pipermail/openafs-info/2009-April/031127.html We are still working with our networking+VPN folks to try to determine if it's the same thing or not, as well as how to fix it. Have you tried the Windows registry setting rxMaxMtu? It needs to be 56 bytes less then the actually MTU. Cisco VPN appears to force a MTU of 1300 on the interface, so rxMaxMtu should be 1244. Setting it to 1244 or lower did in fact cause it to start working. Well, it works as long as CheckPoint Integrity Flex is completely off. With it on, even with all functionality turned off (Firewall, Program Control, etc), AFS fails. Figure that one out! :| If you are having a fragmentation problem, ping can help, by setting the don't fragment bit and varying the size can help see what the limit is. On Windows: ping -f -l ... On Linux: ping -M do -s On the windows client that is failing, try: rxdebug 127.0.0.1 -port 7001 -peer -long ipconfig /all Look for the ifMTU natMTU maxMTU lines for each afs server. Also compare the IP numbers with the ip number in the ipconfig. Very helpful debugging notes. Thanks for sharing! As best as I can tell, The code in rx_kcommon.c tries to determine the ifMTU based on the addresses of the client and server. If they appear to be on the same class a, b, or c network, it may work by using the MTU from the matching interface. But none if the interfaces match at all, it defaults to using 1500, which can case fragmentation. Even in the Windows case I think this might happen. To test this I need to get off site. Will try tonight from home. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] OpenAFS, Cisco VPN and MAC OS and mtu
"In order to enable OpenAFS to operate across releases of the Cisco IPSec VPN client prior than 5.0" We're not running sub 5.0 Cisco VPN software, but I'll give it a shot. Jeffrey Altman wrote: Jeff Blaine wrote: FWIW, this appears to be the same problem I reported in April, but for Windows. https://lists.openafs.org/pipermail/openafs-info/2009-April/031127.html We are still working with our networking+VPN folks to try to determine if it's the same thing or not, as well as how to fix it. Read the Release Notes http://docs.openafs.org/ReleaseNotesWindows/ch08.html#id4834377 Search for RxMaxMTU or Cisco. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] OpenAFS, Cisco VPN and MAC OS and mtu
Jeff Blaine wrote: > FWIW, this appears to be the same problem I reported in > April, but for Windows. > > https://lists.openafs.org/pipermail/openafs-info/2009-April/031127.html > > We are still working with our networking+VPN folks to > try to determine if it's the same thing or not, as well > as how to fix it. Read the Release Notes http://docs.openafs.org/ReleaseNotesWindows/ch08.html#id4834377 Search for RxMaxMTU or Cisco. smime.p7s Description: S/MIME Cryptographic Signature
Re: [OpenAFS] OpenAFS, Cisco VPN and MAC OS and mtu
Jeff Blaine wrote: FWIW, this appears to be the same problem I reported in April, but for Windows. https://lists.openafs.org/pipermail/openafs-info/2009-April/031127.html We are still working with our networking+VPN folks to try to determine if it's the same thing or not, as well as how to fix it. Have you tried the Windows registry setting rxMaxMtu? It needs to be 56 bytes less then the actually MTU. Cisco VPN appears to force a MTU of 1300 on the interface, so rxMaxMtu should be 1244. If you are having a fragmentation problem, ping can help, by setting the don't fragment bit and varying the size can help see what the limit is. On Windows: ping -f -l ... On Linux: ping -M do -s On the windows client that is failing, try: rxdebug 127.0.0.1 -port 7001 -peer -long ipconfig /all Look for the ifMTU natMTU maxMTU lines for each afs server. Also compare the IP numbers with the ip number in the ipconfig. As best as I can tell, The code in rx_kcommon.c tries to determine the ifMTU based on the addresses of the client and server. If they appear to be on the same class a, b, or c network, it may work by using the MTU from the matching interface. But none if the interfaces match at all, it defaults to using 1500, which can case fragmentation. Even in the Windows case I think this might happen. To test this I need to get off site. Will try tonight from home. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] OpenAFS, Cisco VPN and MAC OS and mtu
FWIW, this appears to be the same problem I reported in April, but for Windows. https://lists.openafs.org/pipermail/openafs-info/2009-April/031127.html We are still working with our networking+VPN folks to try to determine if it's the same thing or not, as well as how to fix it. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] OpenAFS, Cisco VPN and MAC OS and mtu
For anyone interested, I sent in a patch today for this [grand.central.org #124880] AutoReply: Add -rxmaxmtu parameter to afsd to help avoid VPN fragmentation of UDP packets Kim Kimball wrote: Have you tried setting MTU on the fileserver command line instead? That's what we've done, for the same reason. It has worked, and we don't have to fiddle with each client. The negotiation between AFS client and fileserver for MTU size is "fileserver wins." Kim Kimball Douglas E. Engert wrote: We are having problems with Mac OS 10.4 and 10.5 using Cisco VPN AFS can become unusable. Mac 10.4 is running OpenAFS 1.4.8 for sure. I think the Mac 10.5 is running OpenAFS 1.5.59. Using rxdebug and looking at the natMTU parameter, on most Unix systems this is 1444,(1500 - 56) as expected. On Windows systems this is usually 1260. And on MAC it is 1444. Even if I set the interface mtu 1244, and reboot the MAC, rxdebug shows the interface is using 1244 but rxdebug continues to show a natMTU = 1444. as though it still assumed the mtu was 1500. So it looks like the MAC client is not getting the existingMTU from the OS in util/netutils.c The AFS client on Windows has the RxMaxMTU (1244 appears to be the best setting). Is there any equivelent option for the MAC? Any thoughts on this? -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] OpenAFS, Cisco VPN and MAC OS and mtu
Kim Kimball wrote: Have you tried setting MTU on the fileserver command line instead? No, and I don't want to. Our problem is with just a few clients using VPNs I don't want to slow everyone else down. That's what we've done, for the same reason. It has worked, and we don't have to fiddle with each client. The negotiation between AFS client and fileserver for MTU size is "fileserver wins." I got a mod working over the weekend, on Ubuntu (openafs 1.4.7) and MacOS 10.4 with OpenAFS 1.4.10, that adds a -rxmaxmtu option to afsd. I am putting final touches on it today. Kim Kimball Douglas E. Engert wrote: We are having problems with Mac OS 10.4 and 10.5 using Cisco VPN AFS can become unusable. Mac 10.4 is running OpenAFS 1.4.8 for sure. I think the Mac 10.5 is running OpenAFS 1.5.59. Using rxdebug and looking at the natMTU parameter, on most Unix systems this is 1444,(1500 - 56) as expected. On Windows systems this is usually 1260. And on MAC it is 1444. Even if I set the interface mtu 1244, and reboot the MAC, rxdebug shows the interface is using 1244 but rxdebug continues to show a natMTU = 1444. as though it still assumed the mtu was 1500. So it looks like the MAC client is not getting the existingMTU from the OS in util/netutils.c The AFS client on Windows has the RxMaxMTU (1244 appears to be the best setting). Is there any equivelent option for the MAC? Any thoughts on this? -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] OpenAFS, Cisco VPN and MAC OS and mtu
Have you tried setting MTU on the fileserver command line instead? That's what we've done, for the same reason. It has worked, and we don't have to fiddle with each client. The negotiation between AFS client and fileserver for MTU size is "fileserver wins." Kim Kimball Douglas E. Engert wrote: We are having problems with Mac OS 10.4 and 10.5 using Cisco VPN AFS can become unusable. Mac 10.4 is running OpenAFS 1.4.8 for sure. I think the Mac 10.5 is running OpenAFS 1.5.59. Using rxdebug and looking at the natMTU parameter, on most Unix systems this is 1444,(1500 - 56) as expected. On Windows systems this is usually 1260. And on MAC it is 1444. Even if I set the interface mtu 1244, and reboot the MAC, rxdebug shows the interface is using 1244 but rxdebug continues to show a natMTU = 1444. as though it still assumed the mtu was 1500. So it looks like the MAC client is not getting the existingMTU from the OS in util/netutils.c The AFS client on Windows has the RxMaxMTU (1244 appears to be the best setting). Is there any equivelent option for the MAC? Any thoughts on this? ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] OpenAFS, Cisco VPN and MAC OS and mtu
We are having problems with Mac OS 10.4 and 10.5 using Cisco VPN AFS can become unusable. Mac 10.4 is running OpenAFS 1.4.8 for sure. I think the Mac 10.5 is running OpenAFS 1.5.59. Using rxdebug and looking at the natMTU parameter, on most Unix systems this is 1444,(1500 - 56) as expected. On Windows systems this is usually 1260. And on MAC it is 1444. Even if I set the interface mtu 1244, and reboot the MAC, rxdebug shows the interface is using 1244 but rxdebug continues to show a natMTU = 1444. as though it still assumed the mtu was 1500. So it looks like the MAC client is not getting the existingMTU from the OS in util/netutils.c The AFS client on Windows has the RxMaxMTU (1244 appears to be the best setting). Is there any equivelent option for the MAC? Any thoughts on this? -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
