[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] FW: [fw1-wizards] Unusual Log Message
A general question regarding fragmentation: Recently I had an issue involving fragmentation which I initially thought involved the FW, but which was actually an ACL issue on the Cisco router. Internal NT clients were sending with an MTU of 1500 and the DF (do not fragment) bit set in the packet. One subnet enroute had an MTU of 1496, so the remote router would send back a request to lower the MTU. Since I didn't have 'access-list 100 permit icmp any any packet-too-big' in the router's ACL, the session would die because the internal host kept happily transmitting at 1500. Is sending with the DF bit set a default condition, or is this unusual? Why would this be set? Ian -----Original Message----- From: Dameon D. Welch-Abernathy [mailto:[email protected]] Sent: Sunday, November 12, 2000 11:36 AM To: [email protected] Subject: Re: [fw1-wizards] Unusual Log Message > "router log: Virtual Defragmentation error: Timeout (..xxx.xxx -> > xxx.xxx.xxx.xxx proto 50 id 40401 len 0 offset 0) - 6 fragments dropped > during the last 60 seconds" This is actually in the 4.1 SP2 release notes. FireWall-1 received from fragmented packets, which it was not able to re-assemble correctly. Protocol 50 tells me it was an IPSEC packet. By default, FireWall-1 doesn't fragment IPSEC packets, though it would probably work better if it did. It sends them with the don't fragment bit set, which can make things worse if the packets were near MTU size before FireWall-1 added the IPSEC headers. Check Point has a couple of Knowledge Base docs that explain how to solve this on Solaris or NT. -- PhoneBoy --------------------------------------------------------------------- This email came from the FireWall-1 Wizards Mailing List To unsubscribe, e-mail: [email protected] For more information, email: [email protected] ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|