[vpn] MTU Problems

Eric Vyncke evyncke at cisco.com
Thu Oct 4 05:46:32 EDT 2001


What you are facing is Path MTU Discovery and not RSVP ;-)

The goal is to avoid fragmentation of IP datagrams by 'probing'
the path with IP datagrams whose DF (do not fragment) bit is set
and by listening to ICMP sent by the device refusing to fragment.

The usual caveat is that the ICMP unreachable (not a NACK) is
blocked by a firewall somewhere on the path... another possible
error is that your IPSec device is not able to process ICMP
messages addressed to it (see RFC 2401 for more info).

Workarounds include allowing ICMP unreachable through firewall,
changing the MTU on the servers and/or clients, ...

Just my 0.01 EUR


At 15:13 3/10/2001 -0600, David McNeese wrote:
>We have recently begun to have problems accessing some web sites via
>our VPN connections.  We are using an Intel NetStructure as well as an
>Intraport 2+ .  Here's what has started:
>The VPN process must add some additional information to the headers of
>each frame,  as a result the MTU is somewhat less than 1500 bytes.
>There are several web sites (Yahoo in particular) that is sending data
>to us in 1500 byte frames with the "Do Not Fragment Bit" set.  The
>result is, our boxes throw the frames away because they aren't
>allowed to fragment it.  A message (NACK) is send back to the website
>requesting smaller frames (part of the RSVP protocol) or asking that
>the "do not fragment bit" not be set.  We still get the 1500 byte
>frames so the client can't get the page.
>Has anybody else run into this?  Are you aware of a solution (it seems
>to me it is a config problem at Yahoo)?
>"Cheer up, things could be worse.  So
>I cheered up and sure enough, things got worse."
>David McNeese
>CCN-5 Network Services Team
>MS B255
>505-667-5226 (voice)
>dmcneese at lanl.gov
>VPN is sponsored by SecurityFocus.com

VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list