Google
  Web www.spinics.net

Strangness on fragmentation...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 
I use a linux box as a firewall, with two internet access and classical
split-access.

Recently i've done some heavy changes (changed one line, upgraded to
debian squeeze, revamped some scripts, ...) and then suddenly i've
started to hit troubles: connection stalled, ...

Some tshark listening lead to me to an MTU/fragmentation trouble, so
i've discovered thta one of the connection does not fragment correctly
and need a lesser MTU (1476, found using
http://www.debian.org/doc/manuals/debian-reference/ch05.en.html#_finding_optimal_mtu).
But problem persist.

After some fiddling, i've found that the same strange things happen on
some openvpn tunnels that sits on the line that need a reduced MTU.
After some more work, i've ended with a openvpn configuration like:

 tun-mtu         1476
 fragment        1300
 mssfix

but still some connection, as IMAP/SSL stalls.

I've tried also to comment this parameters and add an 'mtu-test' that
lead me to:

 Apr  5 15:53:04 tank pasian[15897]: NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1540,1540] remote->local=[1540,1540]

so seems to me that there's no pmtu/fragmentation troubles.


Apart the kernel change (from lenny, 2.6.26, to squeeze, 2.6.32), the
only modification was enabling ecn:

 net.ipv4.tcp_ecn = 1
 net.ipv4.tcp_sack = 1
 net.ipv4.tcp_dsack = 1

but i've enabled ecn on other similar firewall without trouble at all.


Someone can help me to, at least, debug these troubles? Thanks.

-- 
dott. Marco Gaiarin				    GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''                http://www.sv.lnf.it/
  Polo FVG  -  Via della Bontà, 7 - 33078  -  San Vito al Tagliamento (PN)
  marco.gaiarin(at)sv.lnf.it	  tel +39-0434-842711  fax +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
	   http://www.lanostrafamiglia.it/chi_siamo/5xmille.php
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
--
To unsubscribe from this list: send the line "unsubscribe lartc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Bugtraq]     [Fedora Legacy]     [GCC Help]     [Yosemite News]     [Yosemite Photos]     [IP Tables]     [Netfilter Devel]     [Fedora Users]

Powered by Linux