[58330] in North American Network Operators' Group
Re: PMTU and Broken Servers
daemon@ATHENA.MIT.EDU (Joe St Sauver)
Thu May 8 10:52:37 2003
Date: Thu, 08 May 2003 07:51:54 -0700 (PDT)
From: Joe St Sauver <JOE@OREGON.UOREGON.EDU>
To: bicknell@ufp.org
Cc: nanog@merit.edu
X-VMS-To: IN%"bicknell@ufp.org"
Errors-To: owner-nanog-outgoing@merit.edu
Hi Leo,
#The tunnel between the tunnelboxes is a lower (1480) MTU. Originally
#the user couldn't access some servers, turns out the firewall was
#filtering ICMP Can't Fragment messages, preventing PMTU from working
#in the server->user direction (tunnelbox1 would generate Can't
#Fragement, firewall would filter).
This is actually a more broadly present problem than you might think.
I talked about this in the context of a jumbo frames presentation
("Practical Issues Associated with 9K MTUs") I did for the February
NLANR/I2 Joint Techs in Miami; see:
http://darkwing.uoregon.edu/~joe/jumbos/ (PDF and PowerPoint versions provided)
#I find it slightly
#(emphasis on the slightly) that someone would turn on PMTU discovery,
#and then filter it out right in front of the boxes where they turned
#it on.
Different folks are probably driving the server network configuration and
the firewall/border router configuration process. Disconnect is not
inconceivable in that scenario by any means.
#This is a new problem to me, but I'm sure people have run into it
#before. Are the servers really that broken (PMTU enabled, ICMP
#Can't Fragement filtered)?
Yes, it is a huge issue potentially.
Regards,
Joe St Sauver (joe@oregon.uoregon.edu)
Univeristy of Oregon Computing Center
