R: [fw-wiz] MTU issue routing traffic via Cisco GRE tunnel to Nokia/Check Point firewall
From: edp (edp.lists_at_acerbis.it)
To: <email@example.com>, <firstname.lastname@example.org> Date: Fri, 12 Dec 2003 18:04:09 +0100
>We have tried lots of things on the GRE tunnel configuration on our
>routers, including settings to ignore the Don't Fragment (DF) bit, and
>force different MTU sizes. A long-running Cisco TAC case has not
>any way around our problem.
Seems also to me a path mtu discovery problem.
Maybe non-working webservers send packets bigger than your gre tunnel
mtu and - more important - with DF set in ip headers; when this packets
is processed by your router interface, your router cannot fragment the
packet keeping forwarding going on, because it honors the DF flag and so
it generates a icmp "require fragmentation" to the webserver in order to
force the webserver to produce smaller packets. But maybe this icmp got
lost in transit due to strict filters so the communication stalls.
Investigate your appliance feature, maybe you can patch in-transit
client TCP MSS in order to avoid fragmentation.
firewall-wizards mailing list