[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Virtual defragmentation error
Definitely try changing the mtu size for any site-to-site connections. The standard ethernet frame (1460 data, 20 ip header, 20 tcp header & 14 bytes ethernet header give you 1514 bytes total) gets 24 bytes add by the encryption header and initialization vector. When this happens the fw starts cranking up the virtual defragmentation errors. I changed the mtu on cisco switch vlan. This is the vlan that contains the ports the Nokia's inside interfaces connect to. Changing the mtu on the nokia box is not a supported fix from what I recall. The other option is change the mss size in the OBJECTS file. I can give you the fix for that if you like. You should try doing some ftp transfers before and after to see how much performanace improves when you change the mtu to 1430. Here is a bit more info below. If you want more, just type in the keywords "vpn mtu checkpoint on google. You will see that this is a common problem and the mtu change is a common fix. If I misunderstood your problem and I'm off-base on this then please accept my apologies ahead of time. Thanks. a.. 1500. The largest Ethernet packet size; it is also the default value. This is the typical setting for non-PPPoE, non-VPN connections. The default value for NETGEAR routers, adapters and switches. b.. 1492. The size PPPoE prefers. c.. 1472. Maximum size to use for pinging. (Bigger packets are fragmented.) d.. 1468. The size DHCP prefers. e.. 1460. Usable by AOL if you don't have large email attachments, etc. f.. 1430. The size VPN and PPTP prefer. g.. 1400. Maximum size for AOL DSL. h.. 576. Typical value to connect to dial-up ISPs. http://www.extremetech.com/article2/0,3973,1153606,00.asp ----- Original Message ----- From: <[email protected]> To: <[email protected]> Sent: Monday, November 03, 2003 8:48 AM Subject: [FW-1] Virtual defragmentation error > Hi all, > > I'm running a VPN network with Check Point FW-1/VPN-1 on different > platforms. > Firewall-alpha: Nokia 530 IPSO 3.7 build 23 NG AI (Primary site) > Firewall-bravo: SecurePlatform 2. Edt. NG FP3 > Firewall-gamma: SecurePlatform NG AI > Firewall-omega: Nokia 120 IPSO 3.7 build 23 NG AI > > I'm starting to get a lot of these log entries in my fw-log: > Date: ##### > Time: ##### > Product: VPN-1 & FireWall-1 > Interface: eth0 > Origin: Firewall-bravo > Type: Log > Action: Drop > Protocol: 50 > Source: Firewall-alpha > Destination: Firewall-bravo > Information: message: Virtual defragmentation error: Timeout > ip_id: 62989 > ip_len: 0 > ip_offset: 0 > fragments_dropped: 2 > during_sec: 60 > > Where source always is Firewall-alpha but destination is the other three > firewall's. Destination and origin is always the same. > > I started looking in the mailing-list archive, phoneboy, Nokia, Check Point > KB and google. I found some useful articles but I'm still a little unsure. > > I've looked at Nokia res: 3370. I've set ipsec_don't_fragment ture (It's > true by default so I haven't changed it) But the article is about from one > server to another behind the firewall's, having MTU problem. > > My problem being with at firewall's them selves and the protocol is 50, my > eyes are turned to the MTU on the firewall's. > > I should add the when I ping -f -l 1473 server I get the message "Packet > needs to be fragmented but DF set." If I set the size to 1472 it's ok. Then > my attention is back on my server (res. 3370) and thus my confusion. > > I also found a fix mentioned SHF_FW1_AI_0020, but as I understood this is > for a problem with log entries like this "Virtual Defragmentation error: > low on mbufs . . ." and that's not my case. > > My question is where to edit my MTU size. Is it on my server or on my > firewall's or should I not change my MTU and look in a total different > place? > > > Any help would be appreciated. > > Best Regards, > > Ole Jakobsen > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|