Path MTU discovery broken in IPSec
Khetan Gajjar
khetan at os.org.za
Fri Nov 10 11:13:55 UTC 2006
Hi Bjoern.
My apologies for the delay in response.
> and no rules specific to ICMP?
The only ICMP-specific rules allow everything through;
[host1] ~# ipfw show | grep icmp
01700 35776 3023614 pipe 25 icmp from any to table(1) in via em0
01701 35776 3023614 skipto 1999 icmp from any to table(1) in via em0
01702 35009 2970684 pipe 26 icmp from table(1) to any out via em0
01703 35009 2970684 skipto 1999 icmp from table(1) to any out via em0
02004 37204 3144438 allow icmp from any to table(1) in via em0
02005 41289 3498204 allow icmp from table(1) to any out via em0
And similarly for host2;
[host2] ~# ipfw show | grep icmp
01700 21550 1789832 pipe 25 icmp from any to table(1) in via fxp0
01701 21550 1789832 skipto 1999 icmp from any to table(1) in via fxp0
01702 21190 1770208 pipe 26 icmp from table(1) to any out via fxp0
01703 21190 1770208 skipto 1999 icmp from table(1) to any out via
fxp0
02004 22899 1903148 allow icmp from any to table(1) in via fxp0
02005 27470 2297728 allow icmp from table(1) to any out via fxp0
> can you start trying with ping -s 1000 and going up to see when it
> starts to fail? Try to find out exactly.
It appears to be fine up until between 8000 and 9000, without any issues.
Up to 8000, its appears to be fine.
[host1] ~# ping -s 8000 citadel.os.org.za
PING host2 (y.y.y.y): 8000 data bytes
8008 bytes from y.y.y.y: icmp_seq=0 ttl=112 time=533.652 ms
8008 bytes from y.y.y.y: icmp_seq=1 ttl=112 time=544.826 ms
8008 bytes from y.y.y.y: icmp_seq=2 ttl=112 time=531.899 ms
8008 bytes from y.y.y.y: icmp_seq=3 ttl=112 time=581.185 ms
8008 bytes from y.y.y.y: icmp_seq=4 ttl=112 time=674.831 ms
8008 bytes from y.y.y.y: icmp_seq=5 ttl=112 time=674.271 ms
^C
--- host2 ping statistics ---
7 packets transmitted, 6 packets received, 14% packet loss
round-trip min/avg/max/stddev = 531.899/590.111/674.831/61.870 ms
By 9000, it starts to drop packets.
[host1] ~# ping -s 9000 host2
PING host2 (y.y.y.y): 9000 data bytes
9008 bytes from y.y.y.y: icmp_seq=0 ttl=112 time=554.908 ms
9008 bytes from y.y.y.y: icmp_seq=2 ttl=112 time=527.464 ms
9008 bytes from y.y.y.y: icmp_seq=3 ttl=112 time=553.512 ms
9008 bytes from y.y.y.y: icmp_seq=4 ttl=112 time=755.606 ms
9008 bytes from y.y.y.y: icmp_seq=5 ttl=112 time=484.681 ms
9008 bytes from y.y.y.y: icmp_seq=6 ttl=112 time=485.256 ms
9008 bytes from y.y.y.y: icmp_seq=7 ttl=112 time=488.802 ms
9008 bytes from y.y.y.y: icmp_seq=8 ttl=112 time=491.750 ms
9008 bytes from y.y.y.y: icmp_seq=9 ttl=112 time=493.689 ms
9008 bytes from y.y.y.y: icmp_seq=11 ttl=112 time=547.049 ms
9008 bytes from y.y.y.y: icmp_seq=12 ttl=112 time=668.788 ms
9008 bytes from y.y.y.y: icmp_seq=13 ttl=112 time=479.957 ms
9008 bytes from y.y.y.y: icmp_seq=14 ttl=112 time=478.519 ms
9008 bytes from y.y.y.y: icmp_seq=15 ttl=112 time=479.967 ms
9008 bytes from y.y.y.y: icmp_seq=16 ttl=112 time=480.166 ms
9008 bytes from y.y.y.y: icmp_seq=17 ttl=112 time=492.812 ms
^C
--- host2 ping statistics ---
18 packets transmitted, 16 packets received, 11% packet loss
round-trip min/avg/max/stddev = 478.519/528.933/755.606/75.693 ms
At 15000, it is fairly horrendous
[host1] ~# ping -s 15000 host2
PING host2 (y.y.y.y): 15000 data bytes
15008 bytes from y.y.y.y: icmp_seq=1 ttl=112 time=510.439 ms
15008 bytes from y.y.y.y: icmp_seq=2 ttl=112 time=497.274 ms
15008 bytes from y.y.y.y: icmp_seq=5 ttl=112 time=536.947 ms
15008 bytes from y.y.y.y: icmp_seq=6 ttl=112 time=567.623 ms
15008 bytes from y.y.y.y: icmp_seq=7 ttl=112 time=534.828 ms
15008 bytes from y.y.y.y: icmp_seq=8 ttl=112 time=534.521 ms
15008 bytes from y.y.y.y: icmp_seq=13 ttl=112 time=574.470 ms
15008 bytes from y.y.y.y: icmp_seq=16 ttl=112 time=588.514 ms
15008 bytes from y.y.y.y: icmp_seq=17 ttl=112 time=575.090 ms
15008 bytes from y.y.y.y: icmp_seq=21 ttl=112 time=548.478 ms
^C
--- host2 ping statistics ---
23 packets transmitted, 10 packets received, 56% packet loss
round-trip min/avg/max/stddev = 497.274/546.818/588.514/28.122 ms
> Also could you post the relevant netstat -rnW output?
On host1;
[host1] ~# netstat -rnW
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu
Netif Expire
default x.x.x.1 UGS 0 705597552 1000
em0
127.0.0.1 127.0.0.1 UH 0 2887710 16384
lo0
x.x.x link#1 UC 0 0 1500
em0
x.x.x.1 00:00:0c:07:ac:0a UHLW 2 72598 1500
em0 1110
x.x.x.x 00:12:3f:ec:d1:ce UHLW 1 28404610 1500
lo0
Internet6:
Destination Gateway Flags
Refs Use Mtu Netif Expire
::1 ::1 UH
0 0 16384 lo0
fe80::%em0/64 link#1 UC
0 0 1500 em0
fe80::212:3fff:feec:d1ce%em0 00:12:3f:ec:d1:ce UHL
0 0 1500 lo0
fe80::%lo0/64 fe80::1%lo0 U
0 0 16384 lo0
fe80::1%lo0 fe80::1%lo0 UHL
0 0 16384 lo0
ff01:1::/32 link#1 UC
0 0 1500 em0
ff01:3::/32 ::1 UC
0 0 16384 lo0
ff02::%em0/32 link#1 UC
0 0 1500 em0
ff02::%lo0/32 ::1 UC
0 0 16384 lo0
And on host2;
[host2] ~# netstat -rnW
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu
Netif Expire
default y.y.y.185 UGS 0 187571667 1500
fxp0
127.0.0.1 127.0.0.1 UH 0 8689214 16384
lo0
y.y.y.185 00:0f:34:b7:dc:7f UHLW 2 72625 1500
fxp0 747
y.y.y.y 00:02:b3:eb:21:db UHLW 1 43334553 1500
lo0
Internet6:
Destination Gateway Flags
Refs Use Mtu Netif Expire
::1 ::1 UH
0 0 16384 lo0
fe80::%fxp0/64 link#1 UC
0 0 1500 fxp0
fe80::202:b3ff:feeb:21db%fxp0 00:02:b3:eb:21:db UHL
0 0 1500 lo0
fe80::%lo0/64 fe80::1%lo0 U
0 0 16384 lo0
fe80::1%lo0 fe80::1%lo0 UHL
0 0 16384 lo0
ff01:1::/32 link#1 UC
0 0 1500 fxp0
ff01:3::/32 ::1 UC
0 0 16384 lo0
ff02::%fxp0/32 link#1 UC
0 0 1500 fxp0
ff02::%lo0/32 ::1 UC
0 0 16384 lo0
Thanks for your assistance!
--
Khetan Gajjar
More information about the freebsd-net
mailing list