On Mon, Jun 07, 2010 at 04:07:00PM +0200, Kai Krebber wrote:
> Mmh - either I misunderstood the whole PMTUD-concept or I poorly
> explained my situation:
I assumed the problem was on the *external* network, not the internal one.
> Sending Mailserver<->Solaris<->(ipsec-tunnel)<->VPN-Gateway<->receiving
> mailserver
>
> Here's the snoop on the wan-interface (i.e. towards the sending
> mailserver):
>
> 216.104.20.23 -> 213.172.123.138 SMTP C port=58657 Received: from out02
> 213.172.123.138 -> 216.104.20.23 ICMP Destination unreachable (Needed to
> fragment: next hop MTU = 1402)
> 216.104.20.23 -> 213.172.123.138 SMTP C port=59044 Received: from out02
> 213.172.123.138 -> 216.104.20.23 ICMP Destination unreachable (Needed to
> fragment: next hop MTU = 1402)
> :
>
>
> 1)Sending mailserver sends Packet with 1450 Byte and DF bit set.
1460, no?
> 2)Solaris would have to frag the packet to get it thru the tunnel, but
> DF bit is set. So Solaris sends back the icmp need to frag (with next
> hop MTU=1402) to the sending mailserver.
> 3) sending mailserver ignores info and keeps sending big packets.
>
> Lowering the MTU on the tunnel interfaces wouldn't change the situation
> - it only would lower the next hop MTU info in the icmp-Packet, wouldn't
> it?
Yes. I didn't realize your problem was on the *inside* network. You have no
influence here?
You could try this on the encrypting gateway:
ndd -set /dev/ip ip_path_mtu_discovery 0
but I'm not sure off the top of my head if that setting will just not send
ICMP NEEDS_FRAGMENTATION, or if it also ignores the DF bit.
Dan
_______________________________________________
networking-discuss mailing list
networking-discuss@opensolaris.org
