[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] Fragementation Problem Fix
Title: Fragementation Problem Fix Can this fragmentation problem fix also be done in NG? If so is the syntax the same? Some applications set the "Don't Fragment" bit on certain packets. When the IPSEC headers are added onto the already large packet, the packet basically requires fragmentation in order to pass. When Check Point creates the IPSEC packet, the Don't Fragment bit it passed onto the new packet. The end result, a packet that requires fragmentation to pass, but has the Don't Fragment bit set, so can't be fragmented. Packet gets dropped. You can force FireWall-1 to clear the Don't Fragment bit by setting the fw_ipsec_dont_fragment kernel variable as follows: On an Nokia IPSO system (VPN-1 Appliance or Nokia IP), you will need to get the 'modzap' utility from Resolution 1261 in Nokia's Knowledge Base. You can then use the following command line to modify the fwhmem parameter and reboot the system: # modzap -s _fw_ipsec_dont_fragment $FWDIR/modules/fwmod.o 0x0 Sincerely,
SkillSoft, The E-Learning Solutions Company
|