kern/112722: [udp] IP v4 udp fragmented packet reject

[Kent Fox]

Thanks for the thought but we went back to OpenBSD and fixed our performance issue with some kernel parameters. I'm sorry that I cannot help out and duplicate the problem as I no longer have that environment. The main issue was the forced reassembly of fragmented packets. When the ingress packet size was maxed out, the egress with the tunnel encapsulation was too large and the packet was discarded. We tried a smaller MTU on the ingress but we still could never make it work. Doing an IPsec tunnel with RDP was a sure way of killing the connection. So what you have is C------>FW------->S. From C(lient) the S(erver) there is an IPSec tunnel (all the way) and from C to FW(firewall FreeBSD server) is another IPSec tunnel (tunnel on the intranet (now GRE)).

Hope that helps.

Kent

-----Original Message-----
From: rwatson at FreeBSD.org [mailto:rwatson at FreeBSD.org] 
Sent: Monday, February 02, 2009 4:49 AM
To: Kent Fox; rwatson at FreeBSD.org; freebsd-net at FreeBSD.org
Subject: Re: kern/112722: [udp] IP v4 udp fragmented packet reject

Synopsis: [udp] IP v4 udp fragmented packet reject

State-Changed-From-To: open->feedback
State-Changed-By: rwatson
State-Changed-When: Mon Feb 2 11:31:13 UTC 2009
State-Changed-Why: 
Dear Kent:

I apologize for the delay in response to this problem report.  Could I ask
you to:

(1) Confirm the problem still exists, especially if you've moved forward
  to a more recent rev of FreeBSD.

(2) Let me know a bit more about your firewall/ipsec/etc setup.  In
  particular, if you can easily identify a minimalist setup to reproduce
  this problem.  Do the packets you're describing enter via a tunnel, or
  do they arrive unencapsulated?

(3) Send me tcpdump output that shows the packet ingress and resulting
  ICMP.

Thanks,

Robert



http://www.freebsd.org/cgi/query-pr.cgi?pr=112722