Re: paket fragmentation and mtu|
Stephan von Krawczynski <skraw,AT,ithnet,DOT,com>|
Wed, 11 Jul 2001 10:49:03 +0200|
---Reply on mail from Mikeeo about paket fragmentation and mtu
> Is there someone along the path or you blocking ICMP? type 3 is the the type
> u cannot block so make sure that icmp type 3 messages are getting through
> trouble shoot with tcpdump or ethereal.
you are definitely right, only I have no chance to change this. The problem
is on the other side of the request (e.g. at www.elsa.de). I can see the
ICMP packet leave at my side, but nevertheless www.elsa.de tries several times
to send the same packet (with same length of 1500 bytes) and then timeouts.
As I am not the world-wide-web-police that runs after people not able to
configure their firewalls, I definitely need some patch.
I updated all cipes to 1.5.2 yesterday and the problem stays (of course).
Logfile shows this:
Jul 11 09:07:21 firewall1-pla kernel: Packet log: uu_in ACCEPT hdlc1 PROTO=6
www.elsa.de:80 win-client:1441 L=1500 S=0x00 I=0 F=0x4000 T=49 (#3)
Jul 11 09:07:21 firewall1-pla kernel: Packet log: uu_out ACCEPT hdlc1 PROTO=1
cipe-router:3 www.elsa.de:4 L=576 S=0xC0 I=21686 F=0x0000 T=253 (#3)
This repeats several times, and then www.elsa.de timeouts.
How can we make it work? Obviously cipe should fragment the packet itself,
and not care about the mtu at all. I thought this should be done by increasing
mtu in cipe's configfile. But that doesn't seem to work. Anybody out there