R: [fw-wiz] MTU issue routing traffic via Cisco GRE tunnel to Nokia/Check Point firewall

From: edp (edp.lists_at_acerbis.it)
Date: 12/12/03

  • Next message: Ben Nagy: "RE: [fw-wiz] Firewalls v. Router ACLs" 
    To: <marcel.cook@convergys.com>, <firewall-wizards@honor.icsalabs.com>
Date: Fri, 12 Dec 2003 18:04:09 +0100

    >We have tried lots of things on the GRE tunnel configuration on our
    Cisco
    >routers, including settings to ignore the Don't Fragment (DF) bit, and
    to
    >force different MTU sizes. A long-running Cisco TAC case has not
    suggested
    >any way around our problem.

    Seems also to me a path mtu discovery problem.
    Maybe non-working webservers send packets bigger than your gre tunnel
    mtu and - more important - with DF set in ip headers; when this packets
    is processed by your router interface, your router cannot fragment the
    packet keeping forwarding going on, because it honors the DF flag and so
    it generates a icmp "require fragmentation" to the webserver in order to
    force the webserver to produce smaller packets. But maybe this icmp got
    lost in transit due to strict filters so the communication stalls.

    Investigate your appliance feature, maybe you can patch in-transit
    client TCP MSS in order to avoid fragmentation.

    Regards,
    .FT

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Ben Nagy: "RE: [fw-wiz] Firewalls v. Router ACLs"

    Relevant Pages

    • Re: Cisco 837 Adsl to public IP
      ... I have one public ip A. B.C. D which is connected to router B. ... make a static route to this or I have to have a GRE Tunnel. ... where to route those packets with destination from private IP range. ... Configuring GRE tunnel between public IP of two routers should ...
      (comp.dcom.sys.cisco)
    • Re: Fwd: [IPv4 fragmentation --> The Rose Attack]
      ... Which limits such an attack to 800 packets overall and 16 fragments ... The first fragment is the ... > dropped at high packet rates if there aren't enough buffers allocated. ...
      (freebsd-net)
    • Re: MTU
      ... as long as your GPRS router fails to properly support ... So besides adviding you to fix the GPRS router fragment handling, ... So the total packet will be more than 1500. ...
      (comp.security.firewalls)
    • Re: [PATCH 00/28] Swap over NFS -v16
      ... To do so we need to distinguish needed from unneeded packets; ... our state must not consume memory, ... a/ in caches, such as the fragment cache and the route cache ...
      (Linux-Kernel)
    • RE: [Full-Disclosure] A new TCP/IP blind data injection technique ?
      ... > fragmented packets and there is NO option to change this. ... > firewall or connecting to any services out side the firewall with the ... The Cisco Pix has an IP fragment database. ... The information contained in this email and any attachments is ...
      (Full-Disclosure)