[Openswan Users] unreachable - need to frag

Andy Gay andy at andynet.net
Sat Aug 5 20:19:00 EDT 2006


On Sat, 2006-08-05 at 11:53 -0700, Brian Sheets wrote:
> I'm not sure I understand this
> 
> When I scp a file from my home system, behind the netscreen, 
> 
> 18:48:49.535015 IP 192.168.23.27.ssh > 10.200.200.10.54855: .
> 76365:77657(1292) ack 1346 win 50388 <nop,nop,timestamp 118421258
> 199723391>
> 
> It appears that the packet size is 1292
> 
> When I do the same thing from my office site
> 
> 18:50:42.707862 IP 192.168.21.11.ssh > 10.200.200.10.54857: .
> 1600:3048(1448) ack 1314 win 1752 <nop,nop,timestamp 633033311
> 199734576>
> 18:50:42.708554 IP gateway1.mxpath.net > 192.168.21.11: icmp 556:
> 10.200.200.10 unreachable - need to frag (mtu 1500)
> 
> The MTU on the netscreen at my home has default to 1492, and the one at
> the office is 1500, that's the only difference I can see.
> 
> In addition, the box at home is a solaris box, the box at the office is
> a debian box. BTW, I can duplicate this on any box behind the openswan
> to any box behind the office netscreen so I know that its independent of
> any client system.

Can you please try to clarify what's talking to what here. You seem to
refer to 2 netscreens, a Solaris system and a debian system running
really old openswan. But I can't work out from anything you've sent how
they're interconnected, where any IPsec tunnels are, and which points
you're monitoring to take the traces. Maybe some ascii art is called
for :)

> 
> Who is driving the packet size, why is the packet coming from my home
> 1292?

Maybe because it heard the frag needed error and adjusted its MTU
accordingly. That's how PMTUD is supposed to work. 1292 seems rather low
though. But then you're picking 1 packet out of a stream, maybe the
sender only had that much to transmit at that time.

Another possibility is that your home (Solaris?) system isn't using
PMTUD, so the network is fragmenting larger packets. Use at least 1 -v
option to tcpdump so we can see if it's setting DF.

> 
> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com] 
> Sent: Saturday, August 05, 2006 9:11 AM
> To: Brian Sheets
> Cc: cam73 at aanet.com.au; users at openswan.org
> Subject: RE: [Openswan Users] unreachable - need to frag
> 
> On Sat, 5 Aug 2006, Brian Sheets wrote:
> 
> > Linux Openswan U2.2.0/K2.6.8-2-386 (native)
> 
> Both openswan and kernel need an update. Any kernel when using netkey
> ('native')
> older the n2.6.11 should be avoided due to missing MTU related patches.
> 
> This includes the 2.6.9 based RHEL4 kernel unfortunately
> 
> Paul
> 
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n(3155
> 



More information about the Users mailing list