[vpn] MTU Problems
Sandy Harris
sandy at storm.ca
Wed Oct 3 23:55:32 EDT 2001
David McNeese wrote:
>
> We have recently begun to have problems accessing some web sites via
> our VPN connections. We are using an Intel NetStructure as well as an
> Intraport 2+ . Here's what has started:
>
> The VPN process must add some additional information to the headers of
> each frame, as a result the MTU is somewhat less than 1500 bytes.
> There are several web sites (Yahoo in particular) that is sending data
> to us in 1500 byte frames with the "Do Not Fragment Bit" set. The
> result is, our boxes throw the frames away because they aren't
> allowed to fragment it. A message (NACK) is send back to the website
> requesting smaller frames (part of the RSVP protocol)
My understanding is that you should send an ICMP packet.
http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/glossary.html#pathMTU
> or asking that
> the "do not fragment bit" not be set. We still get the 1500 byte
> frames so the client can't get the page.
>
> Has anybody else run into this? Are you aware of a solution (it seems
> to me it is a config problem at Yahoo)?
VPN is sponsored by SecurityFocus.com
More information about the VPN
mailing list