From owner-freebsd-net@FreeBSD.ORG  Sat Oct 22 22:12:09 2005
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id AB29316A41F
	for <freebsd-net@freebsd.org>; Sat, 22 Oct 2005 22:12:09 +0000 (GMT)
	(envelope-from mgrooms@shrew.net)
Received: from shrew.net (shrew.net [200.46.204.197])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1F98143D46
	for <freebsd-net@freebsd.org>; Sat, 22 Oct 2005 22:12:09 +0000 (GMT)
	(envelope-from mgrooms@shrew.net)
Received: from hole.shrew.net (66-90-165-114.dyn.grandenetworks.net
	[66.90.165.114]) by shrew.net (Postfix) with ESMTP id 39C95981CB1;
	Sat, 22 Oct 2005 22:12:04 +0000 (GMT)
Received: from [10.22.200.21] ([10.22.200.21])
	by hole.shrew.net (8.13.4/8.13.4) with ESMTP id j9MMC39l084605;
	Sat, 22 Oct 2005 17:12:04 -0500 (CDT)
	(envelope-from mgrooms@shrew.net)
Message-ID: <435AB933.1050609@shrew.net>
Date: Sat, 22 Oct 2005 17:12:03 -0500
From: Matthew Grooms <mgrooms@shrew.net>
User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: mv@roq.com
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0
	(hole.shrew.net [66.90.165.114]);
	Sat, 22 Oct 2005 17:12:04 -0500 (CDT)
X-Spam-Status: No, score=-2.8 required=5.0 tests=ALL_TRUSTED,AWL 
	autolearn=ham version=3.0.4
X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on hole.shrew.net
Cc: volker@vwsoft.com, freebsd-net@freebsd.org
Subject: Re: IPSec tcp session stalling
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Oct 2005 22:12:09 -0000

Mike & Volker,

 >Try sending different sized pings or other packet size control utils to
 >really make sure its not MTU related.
 >Maybe there is an upstream router thats blocking ICMP fragment packets,
 >have you ever seen them? try forcing the creation of some.
 >
 >Mike

     I am experiencing the same issue as Volker and tried sending 
different sized ICMP packets which seems to work fine. I followed up 
with a telnet connection which quickly stalled.

root@hole#  tcpdump -i xl1 src or dst 10.20.10.141
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on xl1, link-type EN10MB (Ethernet), capture size 96 bytes
16:46:01.676879 IP 10.22.200.21 > 10.20.10.141: ICMP echo request, id 
512, seq 15872, length 508
16:46:01.722918 IP 10.20.10.141 > 10.22.200.21: ICMP echo reply, id 512, 
seq 15872, length 508
16:46:02.691200 IP 10.22.200.21 > 10.20.10.141: ICMP echo request, id 
512, seq 16128, length 508
16:46:02.739848 IP 10.20.10.141 > 10.22.200.21: ICMP echo reply, id 512, 
seq 16128, length 508
16:46:07.015667 IP 10.22.200.21 > 10.20.10.141: ICMP echo request, id 
512, seq 16384, length 1008
16:46:07.067792 IP 10.20.10.141 > 10.22.200.21: ICMP echo reply, id 512, 
seq 16384, length 1008
16:46:08.019359 IP 10.22.200.21 > 10.20.10.141: ICMP echo request, id 
512, seq 16640, length 1008
16:46:08.093539 IP 10.20.10.141 > 10.22.200.21: ICMP echo reply, id 512, 
seq 16640, length 1008
16:46:12.119300 IP 10.22.200.21 > 10.20.10.141: ICMP echo request, id 
512, seq 16896, length 1480
16:46:12.119308 IP 10.22.200.21 > 10.20.10.141: icmp
16:46:12.197403 IP 10.20.10.141 > 10.22.200.21: ICMP echo reply, id 512, 
seq 16896, length 1480
16:46:12.197414 IP 10.20.10.141 > 10.22.200.21: icmp
16:46:13.128799 IP 10.22.200.21 > 10.20.10.141: ICMP echo request, id 
512, seq 17152, length 1480
16:46:13.128805 IP 10.22.200.21 > 10.20.10.141: icmp
16:46:13.201023 IP 10.20.10.141 > 10.22.200.21: ICMP echo reply, id 512, 
seq 17152, length 1480
16:46:13.201033 IP 10.20.10.141 > 10.22.200.21: icmp
16:46:26.872047 IP 10.22.200.21.rna-lm > 10.20.10.141.telnet: S 
579182992:579182992(0) win 16384 <mss 1460,nop,nop,sackOK>
16:46:26.941687 IP 10.20.10.141.telnet > 10.22.200.21.rna-lm: S 
2118087729:2118087729(0) ack 579182993 win 5840 <mss 1460,nop,nop,sackOK>
16:46:26.941800 IP 10.22.200.21.rna-lm > 10.20.10.141.telnet: . ack 1 
win 17520
16:46:30.537896 IP 10.20.10.141.telnet > 10.22.200.21.rna-lm: S 
2118087729:2118087729(0) ack 579182993 win 5840 <mss 1460,nop,nop,sackOK>
16:46:30.538000 IP 10.22.200.21.rna-lm > 10.20.10.141.telnet: . ack 1 
win 17520
16:46:30.577673 IP 10.20.10.141.54127 > 10.22.200.21.auth: S 
2118367383:2118367383(0) win 5840 <mss 1460,sackOK,timestamp 3241333360 
0,nop,wscale 0>
16:46:30.577770 IP 10.22.200.21.auth > 10.20.10.141.54127: R 0:0(0) ack 
2118367384 win 0
16:46:30.620047 IP 10.20.10.141.telnet > 10.22.200.21.rna-lm: P 1:13(12) 
ack 1 win 5840
16:46:30.620242 IP 10.22.200.21.rna-lm > 10.20.10.141.telnet: P 1:7(6) 
ack 13 win 17508
16:46:33.620543 IP 10.20.10.141.telnet > 10.22.200.21.rna-lm: P 1:13(12) 
ack 1 win 5840
16:46:33.620651 IP 10.22.200.21.rna-lm > 10.20.10.141.telnet: . ack 13 
win 17508
16:46:33.964246 IP 10.22.200.21.rna-lm > 10.20.10.141.telnet: P 1:16(15) 
ack 13 win 17508
16:46:40.503254 IP 10.22.200.21.rna-lm > 10.20.10.141.telnet: P 1:16(15) 
ack 13 win 17508
16:46:40.538799 IP 10.20.10.141.telnet > 10.22.200.21.rna-lm: . ack 16 
win 5840
16:46:40.538887 IP 10.20.10.141.telnet > 10.22.200.21.rna-lm: P 13:22(9) 
ack 16 win 5840
16:46:40.539062 IP 10.22.200.21.rna-lm > 10.20.10.141.telnet: P 
16:28(12) ack 22 win 17499
16:46:46.528977 IP 10.20.10.141.telnet > 10.22.200.21.rna-lm: P 13:22(9) 
ack 16 win 5840
16:46:46.529081 IP 10.22.200.21.rna-lm > 10.20.10.141.telnet: . ack 22 
win 17499
16:46:53.628188 IP 10.22.200.21.rna-lm > 10.20.10.141.telnet: P 
16:38(22) ack 22 win 17499
16:47:05.221888 IP 10.22.200.21.vpvc > 10.20.10.141.telnet: P 
1633240875:1633240887(12) ack 1931964537 win 17487
16:47:05.266687 IP 10.20.10.141.telnet > 10.22.200.21.vpvc: P 1:66(65) 
ack 12 win 5840
16:47:05.267008 IP 10.22.200.21.vpvc > 10.20.10.141.telnet: P 12:15(3) 
ack 66 win 17422
16:47:05.300951 IP 10.20.10.141.telnet > 10.22.200.21.vpvc: P 66:112(46) 
ack 15 win 5840
16:47:05.301179 IP 10.22.200.21.vpvc > 10.20.10.141.telnet: P 15:18(3) 
ack 112 win 17376
16:47:05.379114 IP 10.20.10.141.telnet > 10.22.200.21.vpvc: . ack 18 win 
5840

-Matthew