Re: [rlug] Problema acces site-uri prin tunel ip_gre intre linux si cisco 831
Salut, Multumesc pentru ajutorul acordat. Am jonglat putin cu tcpmss-ul si acum totul functioneaza corespunzator. am setat tcpmss la 1400 si am pus si clamp-mss-to-pmtu, dar nu in mangle ci in forward. - Original Message From: Radu Oprisan [EMAIL PROTECTED] To: [EMAIL PROTECTED]; Romanian Linux Users Group rlug@lists.lug.ro Sent: Friday, April 11, 2008 7:23:44 PM Subject: Re: [rlug] Problema acces site-uri prin tunel ip_gre intre linux si cisco 831 Claudiu CISMARU wrote: Va rog sa ma ajutati sa pot accesa si acele site-uri prin gre. Daca incerc sa pun mtu 1476 imi da urmatoarea eroare : GREv0, length 1456: IP truncated-ip - 24 bytes missing! 86.107.224.2.2382 64.156.47.210.3002 Wrap la 72 ca ne zgarie pe ochi !!! Cine da mesajul ala? De UNDE incerci sa accesezi? De pe acel Linux, de pe o statie legata prin el etc? UNDE incerci sa pui mtu la 1476? Pe Linux, pe cisco, pe statie? Citat din manualul iptables: TCPMSS This target allows to alter the MSS value of TCP SYN packets, to con- trol the maximum size for that connection (usually limiting it to your outgoing interface's MTU minus 40). Of course, it can only be used in conjunction with -p tcp. It is only valid in the mangle table. This target is used to overcome criminally braindead ISPs or servers which block ICMP Fragmentation Needed packets. The symptoms of this problem are that everything works fine from your Linux firewall/router, but machines behind it can never exchange large packets: 1) Web browsers connect, then hang with no data received. 2) Small mail works fine, but large emails hang. 3) ssh works fine, but scp hangs after initial handshaking. Workaround: activate this option and add a rule to your firewall con- figuration like: iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ -j TCPMSS --clamp-mss-to-pmtu --set-mss value Explicitly set MSS option to specified value. --clamp-mss-to-pmtu Automatically clamp MSS value to (path_MTU - 40). ___ RLUG mailing list RLUG@lists.lug.ro http://lists.lug.ro/mailman/listinfo/rlug __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ RLUG mailing list RLUG@lists.lug.ro http://lists.lug.ro/mailman/listinfo/rlug
[rlug] Problema acces site-uri prin tunel ip_gre intre linux si cisco 831
Salut, Am mare nevoie de ajutor referitor la problema din titlu. Incerc din rasputeri sa rezolv problema si inca nu am reusit sa fac sa mearga site-uri gen www.microsoft.com si www.downloads.com prin tunel gre intre linux debian si cisco 831. Pe tunel la linux am urmatoarele setari : tunnel1 Link encap:UNSPEC HWaddr 56-6B-E9-52-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:172.16.0.1 P-t-P:172.16.0.1 Mask:255.255.255.252 UP POINTOPOINT RUNNING NOARP MTU:1452 Metric:1 RX packets:316581 errors:0 dropped:0 overruns:0 frame:0 TX packets:232808 errors:12 dropped:0 overruns:0 carrier:6 collisions:0 txqueuelen:0 RX bytes:301784681 (287.8 MiB) TX bytes:144384948 (137.6 MiB) Interfata fizica peste care se face tunelul are : eth4 Link encap:Ethernet HWaddr 00:04:23:B5:8F:BD inet addr: Bcast: Mask: inet6 addr: fe80::204:23ff:feb5:8fbd/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:548646 errors:0 dropped:0 overruns:0 frame:0 TX packets:271179 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:386746931 (368.8 MiB) TX bytes:153498280 (146.3 MiB) Base address:0xdc00 Memory:e548-e54a Pe Cisco 831 am urmatoarele setari : interface Tunnel0 description GRE-to-MSAT-c3620vpn ip address 172.16.0.2 255.255.255.252 ip mtu 1452 tunnel source Ethernet1 tunnel destination 86.107.233.82 end interface Ethernet1 description WAN Link ip address no ip redirects no ip unreachables no ip proxy-arp load-interval 30 duplex auto hold-queue 256 in hold-queue 256 out end #sh ip interface Ethernet1 Ethernet1 is up, line protocol is up Internet address is Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is not set #sh ip interface tunnel 0 Tunnel0 is up, line protocol is up Internet address is 172.16.0.2/30 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1452 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is not set Va rog sa ma ajutati sa pot accesa si acele site-uri prin gre. Daca incerc sa pun mtu 1476 imi da urmatoarea eroare : GREv0, length 1456: IP truncated-ip - 24 bytes missing! 86.107.224.2.2382 64.156.47.210.3002 __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ RLUG mailing list RLUG@lists.lug.ro http://lists.lug.ro/mailman/listinfo/rlug
Re: [rlug] Problema acces site-uri prin tunel ip_gre intre linux si cisco 831
Va rog sa ma ajutati sa pot accesa si acele site-uri prin gre. Daca incerc sa pun mtu 1476 imi da urmatoarea eroare : GREv0, length 1456: IP truncated-ip - 24 bytes missing! 86.107.224.2.2382 64.156.47.210.3002 Wrap la 72 ca ne zgarie pe ochi !!! Cine da mesajul ala? De UNDE incerci sa accesezi? De pe acel Linux, de pe o statie legata prin el etc? UNDE incerci sa pui mtu la 1476? Pe Linux, pe cisco, pe statie? -- Claudiu Nicolaie CISMARU GNU GPG Key: http://claudiu.targujiu.net/claudiu.gpg T: 0752095451, 0788358901 E: [EMAIL PROTECTED], [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part. ___ RLUG mailing list RLUG@lists.lug.ro http://lists.lug.ro/mailman/listinfo/rlug
Re: [rlug] Problema acces site-uri prin tunel ip_gre intre linux si cisco 831
Claudiu CISMARU wrote: Va rog sa ma ajutati sa pot accesa si acele site-uri prin gre. Daca incerc sa pun mtu 1476 imi da urmatoarea eroare : GREv0, length 1456: IP truncated-ip - 24 bytes missing! 86.107.224.2.2382 64.156.47.210.3002 Wrap la 72 ca ne zgarie pe ochi !!! Cine da mesajul ala? De UNDE incerci sa accesezi? De pe acel Linux, de pe o statie legata prin el etc? UNDE incerci sa pui mtu la 1476? Pe Linux, pe cisco, pe statie? Citat din manualul iptables: TCPMSS This target allows to alter the MSS value of TCP SYN packets, to con- trol the maximum size for that connection (usually limiting it to your outgoing interface's MTU minus 40). Of course, it can only be used in conjunction with -p tcp. It is only valid in the mangle table. This target is used to overcome criminally braindead ISPs or servers which block ICMP Fragmentation Needed packets. The symptoms of this problem are that everything works fine from your Linux firewall/router, but machines behind it can never exchange large packets: 1) Web browsers connect, then hang with no data received. 2) Small mail works fine, but large emails hang. 3) ssh works fine, but scp hangs after initial handshaking. Workaround: activate this option and add a rule to your firewall con- figuration like: iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ -j TCPMSS --clamp-mss-to-pmtu --set-mss value Explicitly set MSS option to specified value. --clamp-mss-to-pmtu Automatically clamp MSS value to (path_MTU - 40). ___ RLUG mailing list RLUG@lists.lug.ro http://lists.lug.ro/mailman/listinfo/rlug
