pmtud problem

[Stephen Clark]

Tom Judge wrote:

>Stephen Clark wrote:
>  
>
>>Hello List,
>>
>>We have a setup that looks like the following.
>>
>>pc <-ethernet-> freebsd 4.9 <-pppoe-> internet  <-ethernet-> freebsd 6.1
>>on the freebsd box we have a gre tunnel with a mtu of 1420 feeding into a
>>gif vpn tunnel with a mtu of 1280 ( I know this dumb but it the default 
>>value when you create a gif )
>>feeding into a tun0 with a mtu of 1492.
>>
>>What we see is the packet never makes it to the freebsd 6.1 system.
>>
>>if the pc sends a packet of 1460 bytes with the DF bit set shouldn't the 
>>freebsd 4.9 system
>>send back an icmp dest unreachable - fragmentation needed and DF bit set?
>>$ sysctl -a | grep mtu
>>net.inet.tcp.path_mtu_discovery: 1
>>
>>Now if I change the mtu of the gre to 1412 everything works.
>>
>>Any insight would be appreciated.
>>
>>Thanks,
>>Steve
>>    
>>
>
>Are you using IPSEC on your gif interface?  If so there is a bug in 6.1 
>where the IPSEC code that is responsible for populating the ICMP packet 
>fields (Fragmentation needed and the MTU hint) fails to set the MTU hint 
>in the icmp packet.  The problem is fixed in 6.2 and it is a very simple 
>patch for 6.1.
>
>Please see the link for the discussion on this problem back in november.
>
>http://groups.google.ms/group/muc.lists.freebsd.hackers/browse_thread/thread/bff95bd13d700fde/51a27f0d0c42ee92
>
>Regards
>
>Tom J
>
>  
>
Hi Tom,

Thanks I saw that when I was sending from the 6.1 side and was sort of 
supprised there was no
mtu hint size. I'll get the patch and apply it. The real place I am 
seeing the problem is on the
other side.


Regards,
Steve

-- 

"They that give up essential liberty to obtain temporary safety, 
deserve neither liberty nor safety."  (Ben Franklin)

"The course of history shows that as a government grows, liberty 
decreases."  (Thomas Jefferson)