RE: [fw-wiz] MTU issue routing traffic via Cisco GRE tunnel to Nokia/Check Point firewall

From: Ben Nagy (ben_at_iagu.net)
Date: 12/08/03

  • Next message: Sloane, David: "[fw-wiz] RE:[fw-wiz]: unable to ping behind the firewall"
    To: <firewall-wizards@honor.icsalabs.com>
    Date: Mon, 8 Dec 2003 10:30:05 +0100
    
    

    Ok, I have a working theory. Stop me if you've heard this one... ;)

    It's PMTU-D. Again.

    Just confirm that someone hasn't helpfully "tightened" your firewall
    settings to deny all outbound ICMP errors. Over-enthusiastic firewall
    monkeys seem to do that fairly often.

    If those ICMP unreachables aren't actually getting back through the firewall
    to the sending host (the outside webserver) then it will be breaking path
    MTU discovery, and you'll get symptoms like what you're seeing.

    As a workaround, you can lower the MTU on your Paris LAN hosts. This will
    make sure that the client never asks for an MSS big enough to cause the
    problem. I guess 1380 would be the magic number there, but I haven't
    actually checked the overheads. That's a horribly ugly thing to do, by the
    way, and I feel kind of bad for suggesting it.

    'luck...

    ben

    (Oh, and let me know the result? I like mysteries.)

    [1] http://www.ietf.org/rfc/rfc1191.txt

    > -----Original Message-----
    > From: firewall-wizards-admin@honor.icsalabs.com
    > [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf
    > Of marcel.cook@convergys.com
    > Sent: Thursday, December 04, 2003 12:24 PM
    > To: firewall-wizards@honor.icsalabs.com
    > Subject: [fw-wiz] MTU issue routing traffic via Cisco GRE
    > tunnel to Nokia/Check Point firewall
    >
    > We have been suffering an issue to do with Checkpoint, Cisco
    > GRE tunnels and MTU size for a number of months now[...]
    [...]
    > The Cisco GRE tunnel has a MTU size of 1420 set at both ends
    > for it's tunnel interfaces. This is the highest we can use
    > based on the encryption/encapsulation chosen in order to
    > facilitate protocols such as OSPF from working over the link.
    > All other interfaces along the way (router ethernets and
    > Nokia interfaces) are set the default 1500.
    [...]
    > When running a tcpdump on the IP530 in London (on the
    > external interface), during a session from Paris to one of
    > the offending websites, the following is logged:
    [...]
    > 16:36:27.586541 I 194.3.182.10.80 > 154.38.47.5.41571: .
    > 1:1461(1460) ack
    > 249 win 63992 (DF)
    > 16:36:27.588356 O 154.38.47.5 > 194.3.182.10: icmp:
    > 154.38.47.5 unreachable
    > - need to frag (mtu 1420)
    [...]
    > Out of interest, when we route the Internet traffic past the
    > Nokia IP530 firewall and onto an Internet connection at
    > another downstream site, which uses a Cisco PIX firewall
    > instead, the remote Paris users ARE able to browse the
    > offending websites successfully. This indicates that it must
    > be something to do with the Nokia/Check Point installation.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Sloane, David: "[fw-wiz] RE:[fw-wiz]: unable to ping behind the firewall"

    Relevant Pages

    • Re: Web server behind Symantec Enterprise Firewall
      ... It seems it does not matter wich interfaces i set at the rule, ... tries to route it trought the same interface. ... firewall to the internal sever?... ... > on the firewall to point to the web server. ...
      (comp.security.firewalls)
    • Re: Fw: Serious Security Issue in Windows XP SP2s Firewall
      ... This applies to all interfaces. ... >> unreachable, and it was a domain member, and you then installed SP2, the ... > different policy to override this. ... >> not have NB filtered by the firewall. ...
      (Focus-Microsoft)
    • Re: router and adsl?
      ... Most firewall vendors have boxes with 3 interfaces. ... choice if you have a limited budget and arenĀ“t too paranoid. ... >> network, but not with the other company. ...
      (microsoft.public.win2000.security)
    • Re: Lan to Wan reprise
      ... the machines on the Lan can't get past the firewall. ... #if you're a router (and thus should forward IP packets between interfaces), ... iptables -P INPUT DROP ...
      (Fedora)
    • Re: VPN USERS - Question For Mark Renoden and Phillip Windell
      ... >> I know is not intended to have both interfaces in the same subnet but ... The Firewall ans SecureNAT Service require a properly ... By default, PIX ... The VPN Client must use Split-Tunneling in this case and ...
      (microsoft.public.isa)