|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: PMTU and Broken Servers
Hi Leo,
#The tunnel between the tunnelboxes is a lower (1480) MTU. Originally
#the user couldn't access some servers, turns out the firewall was
#filtering ICMP Can't Fragment messages, preventing PMTU from working
#in the server->user direction (tunnelbox1 would generate Can't
#Fragement, firewall would filter).
This is actually a more broadly present problem than you might think.
I talked about this in the context of a jumbo frames presentation
("Practical Issues Associated with 9K MTUs") I did for the February
NLANR/I2 Joint Techs in Miami; see:
http://darkwing.uoregon.edu/~joe/jumbos/ (PDF and PowerPoint versions provided)
#I find it slightly
#(emphasis on the slightly) that someone would turn on PMTU discovery,
#and then filter it out right in front of the boxes where they turned
#it on.
Different folks are probably driving the server network configuration and
the firewall/border router configuration process. Disconnect is not
inconceivable in that scenario by any means.
#This is a new problem to me, but I'm sure people have run into it
#before. Are the servers really that broken (PMTU enabled, ICMP
#Can't Fragement filtered)?
Yes, it is a huge issue potentially.
Regards,
Joe St Sauver ([email protected])
Univeristy of Oregon Computing Center
|