To: cipe-l,AT,inka,DOT,de
Subject: Re: Slow file sharing performance
From: James Knott <james.knott,AT,rogers,DOT,com>
Date: Mon, 01 Sep 2003 07:59:53 -0400

Peter van den Heuvel wrote:
One other reason might be a firewall you are running.
You do must allow at least some ICMP to get through.

The VPN works fine for everything but NFS and SMB, and the problem is only in the one direction. This would indicate that the firewall is passing all that's necessary for the vpn to operate.

Not necessarily. The queries going one way are smaller than the results that flow back. If somewhere along the line a packet gets fragmented you'll recieve an ICMP must-fragment. If these are not processed you'll see large amounts of re-transmits based on time-outs. I've run into that problem myself quite some time ago.

I've not seen any such ICMP messages, using Ethereal.

Also, there are no firewall rules applied to the vpn traffic.

The relevant ICMP in this case comes over the "Internet" interface.

My firewall is configured to allow ICMP.

My firewall runs IPTables on Red Hat 7.3 and the firewall rules allow ICMP from the outside world.

OK, that should rule this one out.

If anyone is interested, I could send some Ethereal dumps of the situation.

You also might want to play with some simulated load and traffic / bandwith measurements. That might be easier to interpret that for example NFS. It would also be relevant to know the difference in ping-time and bandwith between native and cipe (both ways).

Good luck, Peter

