From owner-freebsd-net@FreeBSD.ORG Fri Nov 10 11:13:55 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9419316A403; Fri, 10 Nov 2006 11:13:55 +0000 (UTC) (envelope-from khetan@os.org.za) Received: from gauntlet.os.org.za (gauntlet.os.org.za [196.35.70.242]) by mx1.FreeBSD.org (Postfix) with ESMTP id A74E643D49; Fri, 10 Nov 2006 11:13:53 +0000 (GMT) (envelope-from khetan@os.org.za) Received: from localhost (localhost [127.0.0.1]) by gauntlet.os.org.za (Postfix) with ESMTP id 3394067941; Fri, 10 Nov 2006 13:13:50 +0200 (SAST) X-Virus-Scanned: amavisd-new at os.org.za Received: from gauntlet.os.org.za ([127.0.0.1]) by localhost (gauntlet.os.org.za [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 9RlMsGDSb9kR; Fri, 10 Nov 2006 13:13:43 +0200 (SAST) Received: from khetangajjar (dustpuppy.is.co.za [196.14.169.11]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) (Authenticated sender: khetan) by gauntlet.os.org.za (Postfix) with ESMTP id 010A06792D; Fri, 10 Nov 2006 13:13:43 +0200 (SAST) From: "Khetan Gajjar" To: "'Bjoern A. Zeeb'" Date: Fri, 10 Nov 2006 13:13:42 +0200 Message-ID: <013d01c704b9$483bfbe0$0525010a@af.didata.local> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 Thread-Index: Acb8M/1PK0ObsksmRoK5O2n99DMC+QIgTvqw In-Reply-To: <20061030143114.I2462@maildrop.int.zabbadoz.net> Cc: "'George V. Neville-Neil'" , freebsd-net@freebsd.org Subject: RE: Path MTU discovery broken in IPSec X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Nov 2006 11:13:55 -0000 Hi Bjoern. My apologies for the delay in response. > and no rules specific to ICMP? The only ICMP-specific rules allow everything through; [host1] ~# ipfw show | grep icmp 01700 35776 3023614 pipe 25 icmp from any to table(1) in via em0 01701 35776 3023614 skipto 1999 icmp from any to table(1) in via em0 01702 35009 2970684 pipe 26 icmp from table(1) to any out via em0 01703 35009 2970684 skipto 1999 icmp from table(1) to any out via em0 02004 37204 3144438 allow icmp from any to table(1) in via em0 02005 41289 3498204 allow icmp from table(1) to any out via em0 And similarly for host2; [host2] ~# ipfw show | grep icmp 01700 21550 1789832 pipe 25 icmp from any to table(1) in via fxp0 01701 21550 1789832 skipto 1999 icmp from any to table(1) in via fxp0 01702 21190 1770208 pipe 26 icmp from table(1) to any out via fxp0 01703 21190 1770208 skipto 1999 icmp from table(1) to any out via fxp0 02004 22899 1903148 allow icmp from any to table(1) in via fxp0 02005 27470 2297728 allow icmp from table(1) to any out via fxp0 > can you start trying with ping -s 1000 and going up to see when it > starts to fail? Try to find out exactly. It appears to be fine up until between 8000 and 9000, without any issues. Up to 8000, its appears to be fine. [host1] ~# ping -s 8000 citadel.os.org.za PING host2 (y.y.y.y): 8000 data bytes 8008 bytes from y.y.y.y: icmp_seq=0 ttl=112 time=533.652 ms 8008 bytes from y.y.y.y: icmp_seq=1 ttl=112 time=544.826 ms 8008 bytes from y.y.y.y: icmp_seq=2 ttl=112 time=531.899 ms 8008 bytes from y.y.y.y: icmp_seq=3 ttl=112 time=581.185 ms 8008 bytes from y.y.y.y: icmp_seq=4 ttl=112 time=674.831 ms 8008 bytes from y.y.y.y: icmp_seq=5 ttl=112 time=674.271 ms ^C --- host2 ping statistics --- 7 packets transmitted, 6 packets received, 14% packet loss round-trip min/avg/max/stddev = 531.899/590.111/674.831/61.870 ms By 9000, it starts to drop packets. [host1] ~# ping -s 9000 host2 PING host2 (y.y.y.y): 9000 data bytes 9008 bytes from y.y.y.y: icmp_seq=0 ttl=112 time=554.908 ms 9008 bytes from y.y.y.y: icmp_seq=2 ttl=112 time=527.464 ms 9008 bytes from y.y.y.y: icmp_seq=3 ttl=112 time=553.512 ms 9008 bytes from y.y.y.y: icmp_seq=4 ttl=112 time=755.606 ms 9008 bytes from y.y.y.y: icmp_seq=5 ttl=112 time=484.681 ms 9008 bytes from y.y.y.y: icmp_seq=6 ttl=112 time=485.256 ms 9008 bytes from y.y.y.y: icmp_seq=7 ttl=112 time=488.802 ms 9008 bytes from y.y.y.y: icmp_seq=8 ttl=112 time=491.750 ms 9008 bytes from y.y.y.y: icmp_seq=9 ttl=112 time=493.689 ms 9008 bytes from y.y.y.y: icmp_seq=11 ttl=112 time=547.049 ms 9008 bytes from y.y.y.y: icmp_seq=12 ttl=112 time=668.788 ms 9008 bytes from y.y.y.y: icmp_seq=13 ttl=112 time=479.957 ms 9008 bytes from y.y.y.y: icmp_seq=14 ttl=112 time=478.519 ms 9008 bytes from y.y.y.y: icmp_seq=15 ttl=112 time=479.967 ms 9008 bytes from y.y.y.y: icmp_seq=16 ttl=112 time=480.166 ms 9008 bytes from y.y.y.y: icmp_seq=17 ttl=112 time=492.812 ms ^C --- host2 ping statistics --- 18 packets transmitted, 16 packets received, 11% packet loss round-trip min/avg/max/stddev = 478.519/528.933/755.606/75.693 ms At 15000, it is fairly horrendous [host1] ~# ping -s 15000 host2 PING host2 (y.y.y.y): 15000 data bytes 15008 bytes from y.y.y.y: icmp_seq=1 ttl=112 time=510.439 ms 15008 bytes from y.y.y.y: icmp_seq=2 ttl=112 time=497.274 ms 15008 bytes from y.y.y.y: icmp_seq=5 ttl=112 time=536.947 ms 15008 bytes from y.y.y.y: icmp_seq=6 ttl=112 time=567.623 ms 15008 bytes from y.y.y.y: icmp_seq=7 ttl=112 time=534.828 ms 15008 bytes from y.y.y.y: icmp_seq=8 ttl=112 time=534.521 ms 15008 bytes from y.y.y.y: icmp_seq=13 ttl=112 time=574.470 ms 15008 bytes from y.y.y.y: icmp_seq=16 ttl=112 time=588.514 ms 15008 bytes from y.y.y.y: icmp_seq=17 ttl=112 time=575.090 ms 15008 bytes from y.y.y.y: icmp_seq=21 ttl=112 time=548.478 ms ^C --- host2 ping statistics --- 23 packets transmitted, 10 packets received, 56% packet loss round-trip min/avg/max/stddev = 497.274/546.818/588.514/28.122 ms > Also could you post the relevant netstat -rnW output? On host1; [host1] ~# netstat -rnW Routing tables Internet: Destination Gateway Flags Refs Use Mtu Netif Expire default x.x.x.1 UGS 0 705597552 1000 em0 127.0.0.1 127.0.0.1 UH 0 2887710 16384 lo0 x.x.x link#1 UC 0 0 1500 em0 x.x.x.1 00:00:0c:07:ac:0a UHLW 2 72598 1500 em0 1110 x.x.x.x 00:12:3f:ec:d1:ce UHLW 1 28404610 1500 lo0 Internet6: Destination Gateway Flags Refs Use Mtu Netif Expire ::1 ::1 UH 0 0 16384 lo0 fe80::%em0/64 link#1 UC 0 0 1500 em0 fe80::212:3fff:feec:d1ce%em0 00:12:3f:ec:d1:ce UHL 0 0 1500 lo0 fe80::%lo0/64 fe80::1%lo0 U 0 0 16384 lo0 fe80::1%lo0 fe80::1%lo0 UHL 0 0 16384 lo0 ff01:1::/32 link#1 UC 0 0 1500 em0 ff01:3::/32 ::1 UC 0 0 16384 lo0 ff02::%em0/32 link#1 UC 0 0 1500 em0 ff02::%lo0/32 ::1 UC 0 0 16384 lo0 And on host2; [host2] ~# netstat -rnW Routing tables Internet: Destination Gateway Flags Refs Use Mtu Netif Expire default y.y.y.185 UGS 0 187571667 1500 fxp0 127.0.0.1 127.0.0.1 UH 0 8689214 16384 lo0 y.y.y.185 00:0f:34:b7:dc:7f UHLW 2 72625 1500 fxp0 747 y.y.y.y 00:02:b3:eb:21:db UHLW 1 43334553 1500 lo0 Internet6: Destination Gateway Flags Refs Use Mtu Netif Expire ::1 ::1 UH 0 0 16384 lo0 fe80::%fxp0/64 link#1 UC 0 0 1500 fxp0 fe80::202:b3ff:feeb:21db%fxp0 00:02:b3:eb:21:db UHL 0 0 1500 lo0 fe80::%lo0/64 fe80::1%lo0 U 0 0 16384 lo0 fe80::1%lo0 fe80::1%lo0 UHL 0 0 16384 lo0 ff01:1::/32 link#1 UC 0 0 1500 fxp0 ff01:3::/32 ::1 UC 0 0 16384 lo0 ff02::%fxp0/32 link#1 UC 0 0 1500 fxp0 ff02::%lo0/32 ::1 UC 0 0 16384 lo0 Thanks for your assistance! -- Khetan Gajjar