Re: ECMP, DF-bit and ICMP "Fragmentation needed"
- In reply to: Alexander Chernikov : "Re: ECMP, DF-bit and ICMP "Fragmentation needed""
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 02 Mar 2023 17:45:35 UTC
On Mon, 27 Feb 2023 at 13:57, Alexander Chernikov <melifaro@freebsd.org> wrote: > > > > On 26 Feb 2023, at 12:07, Victor Gamov <vitspec@gmail.com> wrote: > > > > Hi All > > > > I have following scheme: > > - LAN segment 10.5.8.0/24 with router1 (10.5.8.1) and MTU=1500 > > - two hosts at LAN segment host21 (10.5.8.21) and host22 (10.5.8.22) > > - host21 and host22 has VIP=172.16.110.30 configured as LAN-interface > alias > > - host21 and host22 ha BGP peering with router1 and announce VIP to > router1 > > - hostX somewhere at intranet > > - ipsec-tunnel with MTU=1400 > > > > ECMP works fine and traffic from other segments to VIP is balanced > between host21+host22 by router1. > > > > The problem is: > > when host21 and/or host22 send large packet with DF-bit using VIP as > source then ipsec-router sends ICMP "Fragmentation needed" and then this > ICMP is _always_ sent to only host22 by router1. > > > > I think it may be hard or impossible to find proper VIP-owner to send > this ICMP. Is it possible to propagate such ICMP to all VIP-owners in > router1 routing-table? Or may some data from ICMP message be used to > properly calculate ECMP-hash to find a real VIP-owner which must receive > this ICMP? > Generally it’s pretty hard to do. The path may go through the multiple > routers which has it own hash calculation + seed to avoid the traffic > polarisation. Personally I’d suggest doing some sort of ICMP replication on > either the source node or the hosts. > Hi Alexander! Thanks for your reply. In my scheme router1 can replicate such ICMP to all VIP-owners. And only router1 knows about both host21+host22 peers -- for all other network devices this VIP is behind router1. -- CU, Victor Gamov