RE: [fw-wiz] MTU issue routing traffic via Cisco GRE tunnel to Nokia/Check Point firewall

From: Ben Nagy (ben_at_iagu.net)
Date: 12/08/03

  • Next message: Sloane, David: "[fw-wiz] RE:[fw-wiz]: unable to ping behind the firewall"
    To: <firewall-wizards@honor.icsalabs.com>
    Date: Mon, 8 Dec 2003 10:30:05 +0100
    
    

    Ok, I have a working theory. Stop me if you've heard this one... ;)

    It's PMTU-D. Again.

    Just confirm that someone hasn't helpfully "tightened" your firewall
    settings to deny all outbound ICMP errors. Over-enthusiastic firewall
    monkeys seem to do that fairly often.

    If those ICMP unreachables aren't actually getting back through the firewall
    to the sending host (the outside webserver) then it will be breaking path
    MTU discovery, and you'll get symptoms like what you're seeing.

    As a workaround, you can lower the MTU on your Paris LAN hosts. This will
    make sure that the client never asks for an MSS big enough to cause the
    problem. I guess 1380 would be the magic number there, but I haven't
    actually checked the overheads. That's a horribly ugly thing to do, by the
    way, and I feel kind of bad for suggesting it.

    'luck...

    ben

    (Oh, and let me know the result? I like mysteries.)

    [1] http://www.ietf.org/rfc/rfc1191.txt

    > -----Original Message-----
    > From: firewall-wizards-admin@honor.icsalabs.com
    > [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf
    > Of marcel.cook@convergys.com
    > Sent: Thursday, December 04, 2003 12:24 PM
    > To: firewall-wizards@honor.icsalabs.com
    > Subject: [fw-wiz] MTU issue routing traffic via Cisco GRE
    > tunnel to Nokia/Check Point firewall
    >
    > We have been suffering an issue to do with Checkpoint, Cisco
    > GRE tunnels and MTU size for a number of months now[...]
    [...]
    > The Cisco GRE tunnel has a MTU size of 1420 set at both ends
    > for it's tunnel interfaces. This is the highest we can use
    > based on the encryption/encapsulation chosen in order to
    > facilitate protocols such as OSPF from working over the link.
    > All other interfaces along the way (router ethernets and
    > Nokia interfaces) are set the default 1500.
    [...]
    > When running a tcpdump on the IP530 in London (on the
    > external interface), during a session from Paris to one of
    > the offending websites, the following is logged:
    [...]
    > 16:36:27.586541 I 194.3.182.10.80 > 154.38.47.5.41571: .
    > 1:1461(1460) ack
    > 249 win 63992 (DF)
    > 16:36:27.588356 O 154.38.47.5 > 194.3.182.10: icmp:
    > 154.38.47.5 unreachable
    > - need to frag (mtu 1420)
    [...]
    > Out of interest, when we route the Internet traffic past the
    > Nokia IP530 firewall and onto an Internet connection at
    > another downstream site, which uses a Cisco PIX firewall
    > instead, the remote Paris users ARE able to browse the
    > offending websites successfully. This indicates that it must
    > be something to do with the Nokia/Check Point installation.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Sloane, David: "[fw-wiz] RE:[fw-wiz]: unable to ping behind the firewall"

    Relevant Pages