[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] Virtual defragmentation error
Hi all, I'm running a VPN network with Check Point FW-1/VPN-1 on different platforms. Firewall-alpha: Nokia 530 IPSO 3.7 build 23 NG AI (Primary site) Firewall-bravo: SecurePlatform 2. Edt. NG FP3 Firewall-gamma: SecurePlatform NG AI Firewall-omega: Nokia 120 IPSO 3.7 build 23 NG AI I'm starting to get a lot of these log entries in my fw-log: Date: ##### Time: ##### Product: VPN-1 & FireWall-1 Interface: eth0 Origin: Firewall-bravo Type: Log Action: Drop Protocol: 50 Source: Firewall-alpha Destination: Firewall-bravo Information: message: Virtual defragmentation error: Timeout ip_id: 62989 ip_len: 0 ip_offset: 0 fragments_dropped: 2 during_sec: 60 Where source always is Firewall-alpha but destination is the other three firewall's. Destination and origin is always the same. I started looking in the mailing-list archive, phoneboy, Nokia, Check Point KB and google. I found some useful articles but I'm still a little unsure. I've looked at Nokia res: 3370. I've set ipsec_don't_fragment ture (It's true by default so I haven't changed it) But the article is about from one server to another behind the firewall's, having MTU problem. My problem being with at firewall's them selves and the protocol is 50, my eyes are turned to the MTU on the firewall's. I should add the when I ping -f -l 1473 server I get the message "Packet needs to be fragmented but DF set." If I set the size to 1472 it's ok. Then my attention is back on my server (res. 3370) and thus my confusion. I also found a fix mentioned SHF_FW1_AI_0020, but as I understood this is for a problem with log entries like this "Virtual Defragmentation error: low on mbufs . . ." and that's not my case. My question is where to edit my MTU size. Is it on my server or on my firewall's or should I not change my MTU and look in a total different place? Any help would be appreciated. Best Regards, Ole Jakobsen ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|