Firewall Wizards mailing list archives
RE: MTU issue routing traffic via Cisco GRE tunnel to Nokia/Check Point firewall
From: "Ben Nagy" <ben () iagu net>
Date: Mon, 8 Dec 2003 10:30:05 +0100
Ok, I have a working theory. Stop me if you've heard this one... ;) It's PMTU-D. Again. Just confirm that someone hasn't helpfully "tightened" your firewall settings to deny all outbound ICMP errors. Over-enthusiastic firewall monkeys seem to do that fairly often. If those ICMP unreachables aren't actually getting back through the firewall to the sending host (the outside webserver) then it will be breaking path MTU discovery, and you'll get symptoms like what you're seeing. As a workaround, you can lower the MTU on your Paris LAN hosts. This will make sure that the client never asks for an MSS big enough to cause the problem. I guess 1380 would be the magic number there, but I haven't actually checked the overheads. That's a horribly ugly thing to do, by the way, and I feel kind of bad for suggesting it. 'luck... ben (Oh, and let me know the result? I like mysteries.) [1] http://www.ietf.org/rfc/rfc1191.txt
-----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of marcel.cook () convergys com Sent: Thursday, December 04, 2003 12:24 PM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] MTU issue routing traffic via Cisco GRE tunnel to Nokia/Check Point firewall We have been suffering an issue to do with Checkpoint, Cisco GRE tunnels and MTU size for a number of months now[...]
[...]
The Cisco GRE tunnel has a MTU size of 1420 set at both ends for it's tunnel interfaces. This is the highest we can use based on the encryption/encapsulation chosen in order to facilitate protocols such as OSPF from working over the link. All other interfaces along the way (router ethernets and Nokia interfaces) are set the default 1500.
[...]
When running a tcpdump on the IP530 in London (on the external interface), during a session from Paris to one of the offending websites, the following is logged:
[...]
16:36:27.586541 I 194.3.182.10.80 > 154.38.47.5.41571: . 1:1461(1460) ack 249 win 63992 (DF) 16:36:27.588356 O 154.38.47.5 > 194.3.182.10: icmp: 154.38.47.5 unreachable - need to frag (mtu 1420)
[...]
Out of interest, when we route the Internet traffic past the Nokia IP530 firewall and onto an Internet connection at another downstream site, which uses a Cisco PIX firewall instead, the remote Paris users ARE able to browse the offending websites successfully. This indicates that it must be something to do with the Nokia/Check Point installation.
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- MTU issue routing traffic via Cisco GRE tunnel to Nokia/Check Point firewall marcel . cook (Dec 06)
- RE: MTU issue routing traffic via Cisco GRE tunnel to Nokia/Check Point firewall Ben Nagy (Dec 11)
- R: MTU issue routing traffic via Cisco GRE tunnel to Nokia/Check Point firewall edp (Dec 12)
- Re: MTU issue routing traffic via Cisco GRE tunnel to Nokia/Check Point firewall Eric Vyncke (Dec 16)
- <Possible follow-ups>
- Re: MTU issue routing traffic via Cisco GRE tunnel to Nokia/Check Point firewall rainer . ginsberg (Dec 10)