News: This forum is now permanently frozen.
Pages: [1]
Topic: Fragments (Large Packets) fail through IPSec VPN  (Read 3012 times)
« on: January 21, 2009, 23:19:05 »
neik *
Posts: 6

I have two monowalls connected via a IPSec VPN (on a LAN). Large packets eg "ping -l 2048" on windows, do not reliably work. Other large packets eg UDP Kerberos for Active Directory are also damaged.

This line from syslog shows the (part of?) first packet of a 4 packet ping being blocked by the local firewall even through of course the default LAN rule is in place.  The first ping failed, the next three worked ok. Sometimes I can do serveral bursts of a 100 pings, sometimes not.

This is a 1.3b15 monowall sending the pings. 1.235 seems much worse.

I have turned on _every_ option for large fragments (ie advanced options and each rule).

ipmon[128]: 21:55:11.649191 vr0 @100:2 b 192.168.122.199 -> 192.168.1.1 PR icmp len 20 (596) (frag 10678:576@1480) IN

These seems like a real bug. And is disasterous for us, sadly we must use AD. We replaced a bunch of Watchguards with monowalls and now I look like a dope for recommending them.

Please help, you're my only hope.
« Reply #1 on: January 22, 2009, 01:25:11 »
ChainSaw
Guest

I just confirmed the same IPSec packet loss problem between two 1.3b15 m0n0walls.  0% packet loss with ping -l 1024 and ~ 10% with -l 2048.

Update1: -l 4096 is back to 0% packet loss - Very Strange.

Update2: Forgot to mention, I am not experiencing and AD problems at all.

CS...
« Last Edit: January 22, 2009, 09:28:14 by ChainSaw »
« Reply #2 on: January 22, 2009, 14:32:51 »
neik *
Posts: 6

I too found 4096 seemed to work more often that 2048!
« Reply #3 on: January 30, 2009, 02:36:03 »
cmb *****
Posts: 851

Fragments are dropped by the default LAN rule, if you need them, edit that rule and allow them.
« Reply #4 on: January 30, 2009, 02:52:33 »
ChainSaw
Guest

I already have that boxed checked.  Have you tried this test for yourself?

CS...
« Reply #5 on: January 30, 2009, 22:15:03 »
neik *
Posts: 6

Fragments are dropped by the default LAN rule, if you need them, edit that rule and allow them.

I have turned on _every_ option for large fragments (ie advanced options and each rule).
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines