Re: DF bit - Dont Fragment
Just to mention but when you have pmtu occuring in a vpn context, you
have a problem if the lower mtu is in the tunneled packet path:
the icmp will be sent to the originator of the
encapsulated packet which is the vpn box which itself cant send it back
to the client and so pmtu is borken. In ipsec, there is a way (which
consist of maintaining an mtu value per outgoing SA), but for cipe i
dont know how they deal with it. Another trick is to change the tcp mss
value on the fly, --clamp-to-pmtu with iptables if i am right.
On Mon, Jun 21, 2004 at 04:35:25PM +0200, Andrew Miehs wrote:
> Will have to try it again...
> The reason why Path MTU doesn't work, is that our F5s (BigIPs) seem to
> have a broken implementation of NATing ICMP PMTU packets (at least when
> using Aggregate ALL - OncConnect or SNAT)
> > My bet would be that someone is blocking icmp messages (you, your
> > firewall, your ISP?). There's a really good explanation of PMTU at
> > http://www.netheaven.com/pmtu.html that should explain all that for
> > you.
> > As someone else suggested you can lower the MTU and probably get around
> > the problem but it would be better to try and figure out which router
> > is blocking your PMTU attempts ... play with the -M option to ping (at
> > least in iputils-ping from testing).
> > Of course I've never used CIPE so I may be totally off base.
> > --
> > Fraser Campbell <firstname.lastname@example.org>
> > http://www.wehave.net/ Georgetown, Ontario, Canada
> > Debian GNU/Linux
> > --
> > To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
> > email@example.com
> To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org
-> Jean-Francois Dive
I think that God in creating Man somewhat overestimated his ability.
-- Oscar Wilde