Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Virtual defragmentation error

To: [email protected]
Subject: Re: [FW-1] Virtual defragmentation error
From: JOE CAMPOS <[email protected]>
Date: Tue, 4 Nov 2003 23:54:45 -0600
References: <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Definitely try changing the mtu size for any site-to-site connections. The
standard ethernet frame (1460 data, 20 ip header, 20 tcp header & 14 bytes
ethernet  header give you 1514 bytes total) gets 24 bytes add by the
encryption header and initialization vector. When this happens the fw starts
cranking up the virtual defragmentation errors. I changed the mtu on cisco
switch vlan. This is the vlan that contains the ports the Nokia's inside
interfaces connect to. Changing the mtu on the nokia box is not a supported
fix from what I recall. The  other option is change the mss size in the
OBJECTS file. I can give you the fix for that if you like. You should try
doing some ftp transfers before and after to see how much performanace
improves when you change the mtu to 1430. Here is a bit more info below. If
you want more, just type in the keywords "vpn mtu checkpoint on google. You
will see that this is a common problem and the mtu change is a common fix.
If I misunderstood your problem and I'm off-base on this then please accept
my apologies ahead of time. Thanks.
  a.. 1500. The largest Ethernet packet size; it is also the default value.
This is the typical setting for non-PPPoE, non-VPN connections. The default
value for NETGEAR routers, adapters and switches.
  b.. 1492. The size PPPoE prefers.
  c.. 1472. Maximum size to use for pinging. (Bigger packets are
fragmented.)
  d.. 1468. The size DHCP prefers.
  e.. 1460. Usable by AOL if you don't have large email attachments, etc.
  f.. 1430. The size VPN and PPTP prefer.
  g.. 1400. Maximum size for AOL DSL.
  h.. 576. Typical value to connect to dial-up ISPs.
http://www.extremetech.com/article2/0,3973,1153606,00.asp
----- Original Message -----
From: <[email protected]>
To: <[email protected]>
Sent: Monday, November 03, 2003 8:48 AM
Subject: [FW-1] Virtual defragmentation error


> Hi all,
>
> I'm running a VPN network with Check Point FW-1/VPN-1 on different
> platforms.
> Firewall-alpha: Nokia 530 IPSO 3.7 build 23 NG AI (Primary site)
> Firewall-bravo: SecurePlatform 2. Edt. NG FP3
> Firewall-gamma: SecurePlatform NG AI
> Firewall-omega: Nokia 120 IPSO 3.7 build 23 NG AI
>
> I'm starting to get a lot of these log entries in my fw-log:
> Date:       #####
> Time:             #####
> Product:          VPN-1 & FireWall-1
> Interface:        eth0
> Origin:           Firewall-bravo
> Type:             Log
> Action:           Drop
> Protocol:         50
> Source:           Firewall-alpha
> Destination:      Firewall-bravo
> Information:      message: Virtual defragmentation error: Timeout
>                         ip_id: 62989
>                         ip_len: 0
>                         ip_offset: 0
>                         fragments_dropped: 2
>                         during_sec: 60
>
> Where source always is Firewall-alpha but destination is the other three
> firewall's. Destination and origin is always the same.
>
> I started looking in the mailing-list archive, phoneboy, Nokia, Check
Point
> KB and google. I found some useful articles but I'm still a little unsure.
>
> I've looked at Nokia res: 3370. I've set ipsec_don't_fragment ture (It's
> true by default so I haven't changed it) But the article is about from one
> server to another behind the firewall's, having MTU problem.
>
> My problem being with at firewall's them selves and the protocol is 50, my
> eyes are turned to the MTU on the firewall's.
>
> I should add the when I ping -f -l 1473 server I get the message "Packet
> needs to be fragmented but DF set." If I set the size to 1472 it's ok.
Then
> my attention is back on my server (res. 3370) and thus my confusion.
>
> I also found a fix mentioned SHF_FW1_AI_0020, but as I understood this is
> for a problem with log entries like this "Virtual Defragmentation error:
> low on mbufs . . ." and that's not my case.
>
> My question is where to edit my MTU size. Is it on my server or on my
> firewall's or should I not change my MTU and look in a total different
> place?
>
>
> Any help would be appreciated.
>
> Best Regards,
>
> Ole Jakobsen
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

References:
- [FW-1] Virtual defragmentation error
  - From: [email protected]

Prev by Date: Re: [FW-1] Virtual defragmentation error
Next by Date: Re: [FW-1] Virtual defragmentation error
Previous by thread: [FW-1] Virtual defragmentation error
Next by thread: Re: [FW-1] Virtual defragmentation error
Index(es):
- Date
- Thread