On Friday, 2001/10/26 at 11:02 MST, joe volk <[EMAIL PROTECTED]> wrote: > Sitting behind a Cisco 7206 perimeter router and 2 > load balanced Gauntlet FWs on Solaris, internal client > browsers cannot access a few distinct, unrelated web > sites. Either 403 errors (Netscape) or blank page > (IE) returned. Our upstream provider is unable to > access these particular sites as well. > > From an unadvertized host in our DMZ (directly off the > perimeter router) I am able to access the sites 80% of > the time. Had a similar problem a while back when it > was determined that a device hosting the remote web > server was limiting MTU size. Our upstream provider > put in place a workaround to match max MTU size > between us and remote site. > > 1) Does this sound like an MTU-related problem or more > a DNS issue if remote site is attempting to do > resolution to determine if we are coming from a > particular domain? > > 2) Is there anything we can do at our site either on > router or firewalls to at least give us the same, > albeit less-than-stellar, results we get from our DMZ?
It could be MTU-related. Many servers use path MTU discovery (PMTUD), often by default. When a machine using PTMUD is front-ended by a load balancing system (or sometimes just a firewall), the ICMP messages required for PMTUD often don't make it back to the server. When this is the case, packets sent from the server that are too large for some link on the path to the client never get delivered. To test this possibility, simply disable PMTUD on your server and try the broken connections again. jTony Rall _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
