RE: [fw-wiz] MTU issue routing traffic via Cisco GRE tunnel to Nokia/Check Point firewall
From: Ben Nagy (ben_at_iagu.net)
To: <firstname.lastname@example.org> Date: Mon, 8 Dec 2003 10:30:05 +0100
Ok, I have a working theory. Stop me if you've heard this one... ;)
It's PMTU-D. Again.
Just confirm that someone hasn't helpfully "tightened" your firewall
settings to deny all outbound ICMP errors. Over-enthusiastic firewall
monkeys seem to do that fairly often.
If those ICMP unreachables aren't actually getting back through the firewall
to the sending host (the outside webserver) then it will be breaking path
MTU discovery, and you'll get symptoms like what you're seeing.
As a workaround, you can lower the MTU on your Paris LAN hosts. This will
make sure that the client never asks for an MSS big enough to cause the
problem. I guess 1380 would be the magic number there, but I haven't
actually checked the overheads. That's a horribly ugly thing to do, by the
way, and I feel kind of bad for suggesting it.
(Oh, and let me know the result? I like mysteries.)
> -----Original Message-----
> From: email@example.com
> [mailto:firstname.lastname@example.org] On Behalf
> Of email@example.com
> Sent: Thursday, December 04, 2003 12:24 PM
> To: firstname.lastname@example.org
> Subject: [fw-wiz] MTU issue routing traffic via Cisco GRE
> tunnel to Nokia/Check Point firewall
> We have been suffering an issue to do with Checkpoint, Cisco
> GRE tunnels and MTU size for a number of months now[...]
> The Cisco GRE tunnel has a MTU size of 1420 set at both ends
> for it's tunnel interfaces. This is the highest we can use
> based on the encryption/encapsulation chosen in order to
> facilitate protocols such as OSPF from working over the link.
> All other interfaces along the way (router ethernets and
> Nokia interfaces) are set the default 1500.
> When running a tcpdump on the IP530 in London (on the
> external interface), during a session from Paris to one of
> the offending websites, the following is logged:
> 16:36:27.586541 I 18.104.22.168.80 > 22.214.171.124.41571: .
> 1:1461(1460) ack
> 249 win 63992 (DF)
> 16:36:27.588356 O 126.96.36.199 > 188.8.131.52: icmp:
> 184.108.40.206 unreachable
> - need to frag (mtu 1420)
> Out of interest, when we route the Internet traffic past the
> Nokia IP530 firewall and onto an Internet connection at
> another downstream site, which uses a Cisco PIX firewall
> instead, the remote Paris users ARE able to browse the
> offending websites successfully. This indicates that it must
> be something to do with the Nokia/Check Point installation.
firewall-wizards mailing list