From owner-freebsd-net@FreeBSD.ORG Mon Feb 2 15:56:44 2009 Return-Path: Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B8A861065677; Mon, 2 Feb 2009 15:56:44 +0000 (UTC) (envelope-from Kent.Fox@imail.org) Received: from outbound1.ihc.com (outbound1.ihc.com [159.212.70.73]) by mx1.freebsd.org (Postfix) with ESMTP id 912E18FC18; Mon, 2 Feb 2009 15:56:44 +0000 (UTC) (envelope-from Kent.Fox@imail.org) Received: from mailgate1.co.ihc.com ([159.212.133.107]) by outbound1.ihc.com with esmtp (Exim 4.69) (envelope-from ) id 1LU0cZ-0000Na-cy; Mon, 02 Feb 2009 08:21:59 -0700 X-WSS-ID: 0KEG2OH-01-FWL-02 X-M-MSG: Received: from gimail3.co.ihc.com (gimail3.co.ihc.com [159.212.71.80]) by mailgate1.co.ihc.com (Postfix) with ESMTP id 282D87B004E; Mon, 2 Feb 2009 08:21:52 -0700 (MST) Received: from lp-exhb03.co.ihc.com ([159.212.133.41]) by gimail3.co.ihc.com with esmtp (Exim 4.69) (envelope-from ) id 1LU0cX-00032T-PS; Mon, 02 Feb 2009 08:21:58 -0700 Received: from LP-EXMBVS03.CO.IHC.COM ([159.212.133.29]) by lp-exhb03.CO.IHC.COM ([159.212.133.41]) with mapi; Mon, 2 Feb 2009 08:21:57 -0700 From: Kent Fox To: "rwatson@FreeBSD.org" , "freebsd-net@FreeBSD.org" Date: Mon, 2 Feb 2009 08:21:56 -0700 Thread-Topic: kern/112722: [udp] IP v4 udp fragmented packet reject Thread-Index: AcmFLDS0UONmUYcXR8qdXQmVlSHZ+AAG+zhg Message-ID: <2DCF87E25FD89A4AAEF4B6C37BD1B2F97F8F5B44B1@LP-EXMBVS03.CO.IHC.COM> References: <200902021148.n12Bminv031630@freefall.freebsd.org> In-Reply-To: <200902021148.n12Bminv031630@freefall.freebsd.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: Subject: RE: kern/112722: [udp] IP v4 udp fragmented packet reject X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Feb 2009 15:56:45 -0000 Thanks for the thought but we went back to OpenBSD and fixed our performanc= e issue with some kernel parameters. I'm sorry that I cannot help out and d= uplicate the problem as I no longer have that environment. The main issue w= as the forced reassembly of fragmented packets. When the ingress packet siz= e was maxed out, the egress with the tunnel encapsulation was too large and= the packet was discarded. We tried a smaller MTU on the ingress but we sti= ll could never make it work. Doing an IPsec tunnel with RDP was a sure way = of killing the connection. So what you have is C------>FW------->S. From C(= lient) the S(erver) there is an IPSec tunnel (all the way) and from C to FW= (firewall FreeBSD server) is another IPSec tunnel (tunnel on the intranet (= now GRE)). Hope that helps. Kent -----Original Message----- From: rwatson@FreeBSD.org [mailto:rwatson@FreeBSD.org]=20 Sent: Monday, February 02, 2009 4:49 AM To: Kent Fox; rwatson@FreeBSD.org; freebsd-net@FreeBSD.org Subject: Re: kern/112722: [udp] IP v4 udp fragmented packet reject Synopsis: [udp] IP v4 udp fragmented packet reject State-Changed-From-To: open->feedback State-Changed-By: rwatson State-Changed-When: Mon Feb 2 11:31:13 UTC 2009 State-Changed-Why:=20 Dear Kent: I apologize for the delay in response to this problem report. Could I ask you to: (1) Confirm the problem still exists, especially if you've moved forward to a more recent rev of FreeBSD. (2) Let me know a bit more about your firewall/ipsec/etc setup. In particular, if you can easily identify a minimalist setup to reproduce this problem. Do the packets you're describing enter via a tunnel, or do they arrive unencapsulated? (3) Send me tcpdump output that shows the packet ingress and resulting ICMP. Thanks, Robert http://www.freebsd.org/cgi/query-pr.cgi?pr=3D112722