Date: Fri, 25 May 2001 11:35:26 +1000 (EST) From: Rowan Crowe <rowan@sensation.net.au> To: freebsd-isp@freebsd.org Subject: Cisco <-> FreeBSD IP tunnels Message-ID: <Pine.BSF.4.21.0105251125460.16571-100000@velvet.sensation.net.au>
next in thread | raw e-mail | index | archive | help
Hello, I'm having a problem with Cisco NOS style tunnels, running the iptunnel.c program at the FreeBSD end. It seems you can't configure the MTU on the Cisco, so the effective MTU ends up being 1480 bytes (1500 minus 20 bytes encapsulation overhead). This is causing BIG problems with MTU path discovery, and web sites that support PMTU but have a firewall somewhere blocking more ICMP than it should. Enabling PTMU but blocking ICMP actually causes the problem - the web site is sending packets with the Don't Fragment bit set, the router sends back an ICMP saying "I cannot comply with your Don't Fragment requirement, the MTU to use is xxx, I am dropping this packet", the firewall blocks that packet so the web server never sees it and continues to send full size packets. Repeat process endlessly. (aside - if you block ICMP, do you block more than type 0 and 8? if so, why?) Is there anyone tunnelling between a FreeBSD box and a Cisco using a true MTU/MRU of 1500? I realise the encapsulated packets themselves may be fragmented (1500 in + 20 overhead = 2 fragments over an ethernet), but that's no problem so long as the *contents* of the tunnel are not fragmented, and it can pass a full 1500 byte packet intact. Thanks for any suggestions... Cheers. -- Rowan Crowe http://www.rowan.sensation.net.au/ Sensation Internet Services http://info.sensation.net.au/ Melbourne, Australia Phone: +61-3-9329-5498 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0105251125460.16571-100000>