Re: MTU
From: Leonid Rosenboim (My_1st_name@Consultant.Com)Date: 10/16/02
- Next message: Ben Mack: "Re: You're gonna like this - ADSL router but no ADSL"
- Previous message: PhilOnline@pgrahams.com: "Re: Problems with ZA"
- In reply to: Yuki Arif: "Re: MTU"
- Next in thread: phoenix: "Re: MTU"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Leonid Rosenboim" <My_1st_name@Consultant.Com> Date: Wed, 16 Oct 2002 19:38:08 +0200
So, now the cat is out of the bag -
The GPRS router has a problem dealing with IP fragments,
and you are trying to circumvent this by reducing MTU.
Sadly, as long as your GPRS router fails to properly support
fragmentation, there will allways be problems. There could be
situations when your firewall is receiving fragmented packets,
it will forward them to GPRS router as fragments, and it will
still cause your GPRS router to crash.
As a temporary workaround, in the GPRS router PPP code,
you can set the MTU to 1450, therefore the laptop will also
negotiate 1450 MTU automatically.
But this will not solve all the issue which may result from
the GPRS router having trouble with fragments.
So besides adviding you to fix the GPRS router fragment handling,
I can not offer any good solution off the top of my head, but if I had
hans-on access to this network, and deeper knowledge of some further
details and considerations, I might have been able to offer further advise.
Leonid Rosenboim
Consultant
"Yuki Arif" <Yuki.Arif@ericsson.com> wrote in message
news:aojgg8$fdi$1@aken.eed.ericsson.se...
> Hello Leonid,
>
> Here is the detail of the diagram :
>
> <<<-------------------------------------------Packet
> Flow-----------------------------------------------
>
> Laptop client ----GSM network----- Router GPRS Equipment box ----Router
> 1-----Firewall ----Internet.
>
>
> There is an ipsec tunnel between Router GPRS Equipment box and Router 1.
>
> If we set MTU in the Firewall interface towards Router 1 = 1500, Router 1
> will add IPSEC header. So the total packet will be more than 1500. The MTU
> between Router GPRS Equipment box and Router 1 is 1500. So the router 1
> will fragment the IPSEC packet. When there are many fragmented IPSEC
packet
> in the Router GPRS Equipment box , the router will restart.
>
> Thats why we set MTU in the Firewall interface towards Router 1 = 1450 to
> make sure the total packet come out from Router 1 is always below or equal
> to MTU = 1500. IPSEC header is around 44 bytes.
>
> Our Router 1 is not cisco router. In cisco router, It will calculate the
> incoming packet first and it will divide the packet in some way, so the
> total packet come out from Router 1 has always below or equal MTU = 1500.
So
> there is no IPSEC fragmentation in Router GPRS Equipment box .
>
> The problem we have is, when we set MTU in the Firewall interface towards
> Router 1 = 1450, we can not browse with windows 2k (default MTU 1500).
> Windows 98 is fine since it does not use MTU 1500. When we decrease the
MTU
> to 1450 in the laptop with windows 2k, it is ok with browsing.
>
> We suspect the firewall has some problem but I am not good in Firewall.
>
> I have the following info but I don't know how to implement it in
Checkpoint
> Firewall (How to permit permit ICMP type-3 code 4).
>
>
> NAT Does Not Work to Certain Sites
>
> Q:
>
> I am hiding my client's behind my firewall's external interface. I am
having
> problems surfing to one site in particular. What might be the problem?
>
> A:
>
> Use a packet sniffer to look for packets larger than MTU with the "do not
> fragment" bit set. snoop, tcpdump, or the like should be able to find
> packets like this. Once you determine that, either permit ICMP type-3 code
4
> packets to your clients or adjust your MTU. A more detailed discussion of
> MTU Discovery can be found here <http://users.worldgate.ca/~marcs/mtu/>.
>
> Another possibility is that you are attempting to access a website that is
> using the same address space you are using internally and NATting. This is
> why if you are using non-routable addresses on your internal network, you
> should strive to use those as defined by RFC-1918. (Thanks to Simon Hornby
> <mailto:simon.hornby@grenville.co.uk> for reminding me of this)
>
>
>
> ICMP Error Codes
>
> Q:
>
> What do the ICMP Error Codes mean? I see them in the logs with any ICMP
> packets that get logged.
>
> A:
>
> From RFC 1700:
>
> Type 0 Echo Reply
> Type 3 Destination Unreachable
> Code
> 0 = net unreachable;
> 1 = host unreachable;
> 2 = protocol unreachable;
> 3 = port unreachable;
> 4 = fragmentation needed and DF set;
> 5 = source route failed.
> Type 4 Source Quench
> Type 5 Redirect
> Code
> 0 = Redirect datagrams for the Network.
> 1 = Redirect datagrams for the Host.
> 2 = Redirect datagrams for the Type of Service and Network.
> 3 = Redirect datagrams for the Type of Service and Host.
>
> Type 8 Echo
> Type 11 Time Exceeded
> Code
> 0 = time to live exceeded in transit;
> 1 = fragment reassembly time exceeded.
> Type 12 Parameter Problem
> Code 0 = pointer indicates the error.
> Type 13 Timestamp
> Type 14 Timestamp Reply
> Type 15 Information Request
> Type 16 Information Reply
>
>
> Cheers
>
> Yuki
>
>
>
>
>
> "Leonid Rosenboim" <My_1st_name@Consultant.Com> wrote in message
> news:newscache$ey0z3h$0j8$1@lnews.actcom.co.il...
> > Yuki,
> >
> > GPRS is sub-layer-2, you can't just have teh GPRS hooked straight into
> your
> > firewall. There is still something missing in your diagram.
> > Typically, people run PPP on top of GPRS, so your laptoip dial-up driver
> > will work with an Access Server on the other end (e.g. AccessPath 5300)
> > which terminates the PPP connections, and outputs IP packets over
Ethernet
> > which then get into the firewa.. Alternatively, the access server which
> > terminates PPP may also run firewall software in the same box.
> >
> > Anyhow, during PPP session establishment, the IPCP component will
> negotiate
> > an IP address, mask, default gateway and MTU, so that the MTU on your
> laptop
> > should match the MTO of the PPP interface of the access server. The MTU
on
> > the ethernet side of the access server does not need to match that of
your
> > laptop because the access server is a Layer-3 device.
> >
> > Please clarify your situation, and restate the actual problem you're
> facing,
> > so I will be able to help further.
> >
> > -----------------------------------------------------------------------
> > Leonid Rosenboim Visit:
> > http://gamla.org.il/english/index.htm
> > Consultant Email: my first name at consultant dot
> com
> >
> >
> > "Yuki Arif" <Yuki.Arif@ericsson.com> wrote in message
> > news:aoea92$rhn$1@aken.eed.ericsson.se...
> > > Hi Leonid
> > >
> > > Thanks for your answer.
> > >
> > > I must revised my Diagram...
> > >
> > > My Laptop <-----> GPRS Network <------> Firewall
> > > <----->LAN<---->Internet<----->Webserver.
> > >
> > > The problem is, there is something wrong in GPRS network that force us
> to
> > > make MTU of Firewall 1450.
> > > How do I handle Firewall to encounter 1500 MTU to 1450 MTU ?
> > >
> > > Thanks..
> > >
> > > Yuki
> > >
> > >
> > >
> > > "Leonid Rosenboim" <My_1st_name@Consultant.Com> wrote in message
> > > news:newscache$7byy3h$ud8$1@lnews.actcom.co.il...
> > > > The standard MTU size for IP over Ethernet is 1500,
> > > > when using the classic encapsulation (not SNAP).
> > > > hence the setting on the firewall is in violation of the
> > > > standard, and should be changed.
> > > >
> > > > On the otehr hand, all nodes on a given segment
> > > > (i.e. Layer-2 domain) must have all theirs MTU
> > > > set identically (which explains why setting MTU
> > > > to 1450 on your laptop seems to fix things).
> > > >
> > > > -- HTH
> > >
> > -----------------------------------------------------------------------
> > > > Leonid Rosenboim Visit:
> > > > http://gamla.org.il/english/index.htm
> > > > Consultant Email: my first name at consultant
> dot
> > > com
> > > >
> > > >
> > > > "Yuki Arif" <Yuki.Arif@ericsson.com> wrote in message
> > > > news:aoe82t$kde$1@aken.eed.ericsson.se...
> > > > > Hello All,
> > > > >
> > > > > I have network like this :
> > > > >
> > > > > - My Laptop, Windows 2000, MTU 1500 (Private IP).
> > > > >
> > > > > - NAT in Firewall (checkpoint firewall 4.1 running on Sun
Solaris).
> > > > >
> > > > > My Laptop <-----> LAN <------> Firewall <----->
> > > > > LAN<---->Internet<----->Webserver
> > > > >
> > > > > The MTU of Firewal interface towards My laptop is 1450.
> > > > >
> > > > > The MTU of Firewal interface towards Webserver is 1500.
> > > > >
> > > > > Somehow, I can not browsing with MTU 1500 set up on my laptop.
> > > > >
> > > > > I can do browsing when Is et up my Laptop MTU is 1450.
> > > > >
> > > > > Do you know what should I do ?
> > > > >
> > > > > I have to use MTU = 1500 on my laptop.
> > > > >
> > > > > Thanks in advance.
> > > > >
> > > > > Yuki
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Ben Mack: "Re: You're gonna like this - ADSL router but no ADSL"
- Previous message: PhilOnline@pgrahams.com: "Re: Problems with ZA"
- In reply to: Yuki Arif: "Re: MTU"
- Next in thread: phoenix: "Re: MTU"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
