Date: Mon, 2 Feb 2009 08:21:56 -0700 From: Kent Fox <Kent.Fox@imail.org> To: "rwatson@FreeBSD.org" <rwatson@FreeBSD.org>, "freebsd-net@FreeBSD.org" <freebsd-net@FreeBSD.org> Subject: RE: kern/112722: [udp] IP v4 udp fragmented packet reject Message-ID: <2DCF87E25FD89A4AAEF4B6C37BD1B2F97F8F5B44B1@LP-EXMBVS03.CO.IHC.COM> In-Reply-To: <200902021148.n12Bminv031630@freefall.freebsd.org> References: <200902021148.n12Bminv031630@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks for the thought but we went back to OpenBSD and fixed our performance issue with some kernel parameters. I'm sorry that I cannot help out and duplicate the problem as I no longer have that environment. The main issue was the forced reassembly of fragmented packets. When the ingress packet size was maxed out, the egress with the tunnel encapsulation was too large and the packet was discarded. We tried a smaller MTU on the ingress but we still could never make it work. Doing an IPsec tunnel with RDP was a sure way of killing the connection. So what you have is C------>FW------->S. From C(lient) the S(erver) there is an IPSec tunnel (all the way) and from C to FW(firewall FreeBSD server) is another IPSec tunnel (tunnel on the intranet (now GRE)). Hope that helps. Kent -----Original Message----- From: rwatson@FreeBSD.org [mailto:rwatson@FreeBSD.org] Sent: Monday, February 02, 2009 4:49 AM To: Kent Fox; rwatson@FreeBSD.org; freebsd-net@FreeBSD.org Subject: Re: kern/112722: [udp] IP v4 udp fragmented packet reject Synopsis: [udp] IP v4 udp fragmented packet reject State-Changed-From-To: open->feedback State-Changed-By: rwatson State-Changed-When: Mon Feb 2 11:31:13 UTC 2009 State-Changed-Why: Dear Kent: I apologize for the delay in response to this problem report. Could I ask you to: (1) Confirm the problem still exists, especially if you've moved forward to a more recent rev of FreeBSD. (2) Let me know a bit more about your firewall/ipsec/etc setup. In particular, if you can easily identify a minimalist setup to reproduce this problem. Do the packets you're describing enter via a tunnel, or do they arrive unencapsulated? (3) Send me tcpdump output that shows the packet ingress and resulting ICMP. Thanks, Robert http://www.freebsd.org/cgi/query-pr.cgi?pr=112722
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2DCF87E25FD89A4AAEF4B6C37BD1B2F97F8F5B44B1>