Date: Mon, 2 Feb 2009 08:21:56 -0700 From: Kent Fox <Kent.Fox@imail.org> To: "rwatson@FreeBSD.org" <rwatson@FreeBSD.org>, "freebsd-net@FreeBSD.org" <freebsd-net@FreeBSD.org> Subject: RE: kern/112722: [udp] IP v4 udp fragmented packet reject Message-ID: <2DCF87E25FD89A4AAEF4B6C37BD1B2F97F8F5B44B1@LP-EXMBVS03.CO.IHC.COM> In-Reply-To: <200902021148.n12Bminv031630@freefall.freebsd.org> References: <200902021148.n12Bminv031630@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks for the thought but we went back to OpenBSD and fixed our performanc= e issue with some kernel parameters. I'm sorry that I cannot help out and d= uplicate the problem as I no longer have that environment. The main issue w= as the forced reassembly of fragmented packets. When the ingress packet siz= e was maxed out, the egress with the tunnel encapsulation was too large and= the packet was discarded. We tried a smaller MTU on the ingress but we sti= ll could never make it work. Doing an IPsec tunnel with RDP was a sure way = of killing the connection. So what you have is C------>FW------->S. From C(= lient) the S(erver) there is an IPSec tunnel (all the way) and from C to FW= (firewall FreeBSD server) is another IPSec tunnel (tunnel on the intranet (= now GRE)). Hope that helps. Kent -----Original Message----- From: rwatson@FreeBSD.org [mailto:rwatson@FreeBSD.org]=20 Sent: Monday, February 02, 2009 4:49 AM To: Kent Fox; rwatson@FreeBSD.org; freebsd-net@FreeBSD.org Subject: Re: kern/112722: [udp] IP v4 udp fragmented packet reject Synopsis: [udp] IP v4 udp fragmented packet reject State-Changed-From-To: open->feedback State-Changed-By: rwatson State-Changed-When: Mon Feb 2 11:31:13 UTC 2009 State-Changed-Why:=20 Dear Kent: I apologize for the delay in response to this problem report. Could I ask you to: (1) Confirm the problem still exists, especially if you've moved forward to a more recent rev of FreeBSD. (2) Let me know a bit more about your firewall/ipsec/etc setup. In particular, if you can easily identify a minimalist setup to reproduce this problem. Do the packets you're describing enter via a tunnel, or do they arrive unencapsulated? (3) Send me tcpdump output that shows the packet ingress and resulting ICMP. Thanks, Robert http://www.freebsd.org/cgi/query-pr.cgi?pr=3D112722
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2DCF87E25FD89A4AAEF4B6C37BD1B2F97F8F5B44B1>