Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] Fragementation Problem Fix

To: [email protected]
Subject: [FW-1] Fragementation Problem Fix
From: "Nathan Jardine (IT Services)" <[email protected]>
Date: Tue, 4 Feb 2003 14:39:37 -0400
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Title: Fragementation Problem Fix

Can this fragmentation problem fix also be done in NG? If so is the syntax the same?

Some applications set the "Don't Fragment" bit on certain packets. When the IPSEC headers are added onto the already large packet, the packet basically requires fragmentation in order to pass. When Check Point creates the IPSEC packet, the Don't Fragment bit it passed onto the new packet. The end result, a packet that requires fragmentation to pass, but has the Don't Fragment bit set, so can't be fragmented. Packet gets dropped.

You can force FireWall-1 to clear the Don't Fragment bit by setting the fw_ipsec_dont_fragment kernel variable as follows:

On an Nokia IPSO system (VPN-1 Appliance or Nokia IP), you will need to get the 'modzap' utility from Resolution 1261 in Nokia's Knowledge Base. You can then use the following command line to modify the fwhmem parameter and reboot the system:

# modzap -s _fw_ipsec_dont_fragment $FWDIR/modules/fwmod.o 0x0

Sincerely,
Nathan

Nathan Jardine, CCNP, CCSA, CCDA, MCSE
IT Services, SkillSoft
Ph. ; ext 6977
Cell
[email protected]

SkillSoft, The E-Learning Solutions Company
Visit us at http://www.smartforce.com

Follow-Ups:
- Re: [FW-1] Fragementation Problem Fix
  - From: Jim Laverty <[email protected]>

Prev by Date: [FW-1] NG - RADIUS- Logon Scripts
Next by Date: [FW-1] Static Mapping and ARP issue in Win2k NG FP3
Previous by thread: Re: [FW-1] NG - RADIUS- Logon Scripts
Next by thread: Re: [FW-1] Fragementation Problem Fix
Index(es):
- Date
- Thread