News
:
This forum is now permanently frozen.
m0n0wall Forum
>
m0n0wall Support (English)
>
VPN
Topic: Fragments (Large Packets) fail through IPSec VPN
Pages: [
1
]
Topic: Fragments (Large Packets) fail through IPSec VPN (Read 3012 times)
Fragments (Large Packets) fail through IPSec VPN
« on: January 21, 2009, 23:19:05 »
neik
Posts: 6
I have two monowalls connected via a IPSec VPN (on a LAN). Large packets eg "ping -l 2048" on windows, do not reliably work. Other large packets eg UDP Kerberos for Active Directory are also damaged.
This line from syslog shows the (part of?) first packet of a 4 packet ping being blocked by the local firewall even through of course the default LAN rule is in place. The first ping failed, the next three worked ok. Sometimes I can do serveral bursts of a 100 pings, sometimes not.
This is a 1.3b15 monowall sending the pings. 1.235 seems much worse.
I have turned on _every_ option for large fragments (ie advanced options and each rule).
ipmon[128]: 21:55:11.649191 vr0 @100:2 b 192.168.122.199 -> 192.168.1.1 PR icmp len 20 (596) (frag 10678:576@1480) IN
These seems like a real bug. And is disasterous for us, sadly we must use AD. We replaced a bunch of Watchguards with monowalls and now I look like a dope for recommending them.
Please help, you're my only hope.
Re: Fragments (Large Packets) fail through IPSec VPN
« Reply #1 on: January 22, 2009, 01:25:11 »
ChainSaw
Guest
I just confirmed the same IPSec packet loss problem between two 1.3b15 m0n0walls. 0% packet loss with ping -l 1024 and ~ 10% with -l 2048.
Update1: -l 4096 is back to 0% packet loss - Very Strange.
Update2: Forgot to mention, I am not experiencing and AD problems at all.
CS...
«
Last Edit: January 22, 2009, 09:28:14 by ChainSaw
»
Re: Fragments (Large Packets) fail through IPSec VPN
« Reply #2 on: January 22, 2009, 14:32:51 »
neik
Posts: 6
I too found 4096 seemed to work more often that 2048!
Re: Fragments (Large Packets) fail through IPSec VPN
« Reply #3 on: January 30, 2009, 02:36:03 »
cmb
Posts: 851
Fragments are dropped by the default LAN rule, if you need them, edit that rule and allow them.
Re: Fragments (Large Packets) fail through IPSec VPN
« Reply #4 on: January 30, 2009, 02:52:33 »
ChainSaw
Guest
I already have that boxed checked. Have you tried this test for yourself?
CS...
Re: Fragments (Large Packets) fail through IPSec VPN
« Reply #5 on: January 30, 2009, 22:15:03 »
neik
Posts: 6
Quote from: cmb on January 30, 2009, 02:36:03
Fragments are dropped by the default LAN rule, if you need them, edit that rule and allow them.
I have turned on _every_ option for large fragments (ie advanced options and each rule).
Pages: [
1
]