[vpn] MTU Problems

[Raymakers, Guy]

We had also a problem with MTU's being too large. Luckily we had an Intranet
environment which is fully managed so we changed the MTU of both the clients
and the server to 1400 or so to be sure that we didn't had an MTU problem
anymore.

I know that some VPN products allow to do something about this like
NetScreen and I believe Cisco also have something like ' set ip df 0 ' on
IOS to turn the DF bit off.

Good luck,
Guy

-----Original Message-----
From: David McNeese [mailto:dmcneese at lanl.gov]
Sent: Wednesday, October 03, 2001 11:14 PM
To: vpn at securityfocus.com
Subject: [vpn] MTU Problems


We have recently begun to have problems accessing some web sites via
our VPN connections.  We are using an Intel NetStructure as well as an
Intraport 2+ .  Here's what has started:

The VPN process must add some additional information to the headers of
each frame,  as a result the MTU is somewhat less than 1500 bytes.
There are several web sites (Yahoo in particular) that is sending data
to us in 1500 byte frames with the "Do Not Fragment Bit" set.  The
result is, our boxes throw the frames away because they aren't
allowed to fragment it.  A message (NACK) is send back to the website
requesting smaller frames (part of the RSVP protocol) or asking that
the "do not fragment bit" not be set.  We still get the 1500 byte
frames so the client can't get the page.

Has anybody else run into this?  Are you aware of a solution (it seems
to me it is a config problem at Yahoo)?

Thanks!


*************************************************************
"Cheer up, things could be worse.  So
I cheered up and sure enough, things got worse."

David McNeese
CCN-5 Network Services Team
MS B255
505-667-5226 (voice)
dmcneese at lanl.gov


VPN is sponsored by SecurityFocus.com

VPN is sponsored by SecurityFocus.com