Are you filtering ICMP on your firewalls? Or filtering
on your routers (like 'no ip unreachables')?
Can you enable MTU's bigger than 1500 on your infrastructure?
Dale
On Oct 18, 2005, at 4:09 PM, Wyman Miles wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
We've been seeing some MTU discovery issues on our wireless network
for
some time now. The key symptom is wireless clients whose local
firewall
drops fragmented packets can't reach certain sites (Google and its
fellows,
most notably).
That's the effect, not the cause.
According to our IDS, the wireless routers are sending ICMP 3:4s
[frags
needed && DF set] to the remote sites which presumably eat or
ignore them.
What none of my sniffs can find are ICMP 3:4s sent to the wireless
clients
themselves. Nothing, not a one. As the tunnel between AC and AP
obscures
what may be the missing 3:4s, I can't say they're not being generated.
What I can say for certain they're not appearing on the wireless
side of
things.
There's a growing blame-the-firewall movement with obvious deleterious
effects, so I'm eager to solve this problem.
Anyone else seen this on their wireless LANs? We're Chantry, but I
presume
any vendor that uses some tunnel between the access points and access
controllers is at risk for the same behavior (Cisco/GRE, Aruba/
IPSec, etc).
Any ideas?
Wyman Miles
Senior Security Engineer
Cornell University, Ithaca, NY
(607) 255-8421
-----BEGIN PGP SIGNATURE-----
Version: Mulberry PGP Plugin v3.0
Comment: processed by Mulberry PGP Plugin
iQA/AwUBQ1VkccRE6QfTb3V0EQKuIgCfYo56WRtig7KoV5cUBSn3cv52C/cAoNOw
f2ATOgQK39UMaFOVlWGd+PoR
=RzCY
-----END PGP SIGNATURE-----
**********
Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at http://
www.educause.edu/groups/.
------------------------------------------------------------------------
Dale W. Carder - Network Engineer | DoIT Network Services
University of Wisconsin at Madison | [EMAIL PROTECTED]
(608) 263-3628 | 24hr NOC: 263-4188 | http://net.doit.wisc.edu/~dwcarder
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
