VPN and icmp
Neil Ratzlaff
neil.ratzlaff at UCOP.EDU
Wed Aug 16 19:17:28 EDT 2000
We recently tried to set up a Cisco VPN with some NT servers at our end,
the other end had Windows something. Parts of it worked and parts didn't,
and we eventually found the cause to be the close Cisco router sending icmp
type 3 code 4 packets back to the NT machines. The packets from NT had the
'Don't Fragment' bit set, and Cisco couldn't encrypt them and still fit
them under the packet size limit. I suggested the NT owners stop setting
the Don't Fragment bit, and they said there was no way to do that. They
also cited RFC 1853:
3.1. Tunnel MTU Discovery
When the Don't Fragment bit is set by the originator and copied into
the outer IP header, the proper MTU of the tunnel will be learned
from ICMP (Type 3 Code 4) "Datagram Too Big" errors reported to the
encapsulator. To support originating hosts which use this
capability, all implementations MUST support Path MTU Discovery
[RFC-1191, RFC-1435] within their tunnels.
So.... questions:
1. Can NT stop setting the Don't Fragment bit, and if so, how?
2. What is the best way to deal with this situation?
Thanks,
Neil
VPN is sponsored by SecurityFocus.COM
More information about the VPN
mailing list