kern/112722: [udp] IP v4 udp fragmented packet reject

Kent Fox Kent.Fox at imail.org
Mon Feb 2 10:20:04 PST 2009 

The following reply was made to PR kern/112722; it has been noted by GNATS.

From: Kent Fox <Kent.Fox at imail.org>
To: "rwatson at FreeBSD.org" <rwatson at FreeBSD.org>, "freebsd-net at FreeBSD.org"
	<freebsd-net at FreeBSD.org>
Cc:  
Subject: RE: kern/112722: [udp] IP v4 udp fragmented packet reject
Date: Mon, 2 Feb 2009 08:21:56 -0700

 Thanks for the thought but we went back to OpenBSD and fixed our performanc=
 e issue with some kernel parameters. I'm sorry that I cannot help out and d=
 uplicate the problem as I no longer have that environment. The main issue w=
 as the forced reassembly of fragmented packets. When the ingress packet siz=
 e was maxed out, the egress with the tunnel encapsulation was too large and=
  the packet was discarded. We tried a smaller MTU on the ingress but we sti=
 ll could never make it work. Doing an IPsec tunnel with RDP was a sure way =
 of killing the connection. So what you have is C------>FW------->S. From C(=
 lient) the S(erver) there is an IPSec tunnel (all the way) and from C to FW=
 (firewall FreeBSD server) is another IPSec tunnel (tunnel on the intranet (=
 now GRE)).
 
 Hope that helps.
 
 Kent
 
 -----Original Message-----
 From: rwatson at FreeBSD.org [mailto:rwatson at FreeBSD.org]=20
 Sent: Monday, February 02, 2009 4:49 AM
 To: Kent Fox; rwatson at FreeBSD.org; freebsd-net at FreeBSD.org
 Subject: Re: kern/112722: [udp] IP v4 udp fragmented packet reject
 
 Synopsis: [udp] IP v4 udp fragmented packet reject
 
 State-Changed-From-To: open->feedback
 State-Changed-By: rwatson
 State-Changed-When: Mon Feb 2 11:31:13 UTC 2009
 State-Changed-Why:=20
 Dear Kent:
 
 I apologize for the delay in response to this problem report.  Could I ask
 you to:
 
 (1) Confirm the problem still exists, especially if you've moved forward
   to a more recent rev of FreeBSD.
 
 (2) Let me know a bit more about your firewall/ipsec/etc setup.  In
   particular, if you can easily identify a minimalist setup to reproduce
   this problem.  Do the packets you're describing enter via a tunnel, or
   do they arrive unencapsulated?
 
 (3) Send me tcpdump output that shows the packet ingress and resulting
   ICMP.
 
 Thanks,
 
 Robert
 
 
 
 http://www.freebsd.org/cgi/query-pr.cgi?pr=3D112722

More information about the freebsd-net mailing list