Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 26 subscribers
  • Views 7556 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Fragmentation issue over IPSEC

David Babiano Rodriguez

Hi to all,

I'm having an issue when our store tries to donwload a file from a server...

Our store is connected to the XG Firewall via one IPSEC VPN site to site (ip range 10.3.201.128/25), they need to download some files from our server in Italy, these servers are connected to us via MPLS (in the XG Firewall LAN). The donwload is not finishing correctly. If I run a tcpdump when the store tries to download these files, I can see this:

15:53:31.684558 Port1, OUT: IP 10.3.201.131.56698 > 10.245.18.14.8000: Flags [S], seq 3069793391, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
15:53:31.700902 Port1, IN: IP 10.245.18.14.8000 > 10.3.201.131.56698: Flags [S.], seq 4150330870, ack 3069793392, win 40960, options [mss 1460,nop,wscale 11,nop,nop,sackOK], length 0
15:53:31.789970 Port1, OUT: IP 10.3.201.131.56698 > 10.245.18.14.8000: Flags [.], ack 1, win 16425, length 0
15:53:31.851295 Port1, OUT: IP 10.3.201.131.56698 > 10.245.18.14.8000: Flags [P.], ack 1, win 16425, length 1307
15:53:31.867868 Port1, IN: IP 10.245.18.14.8000 > 10.3.201.131.56698: Flags [.], ack 1308, win 40960, length 0
15:53:31.987252 Port1, IN: IP 10.245.18.14.8000 > 10.3.201.131.56698: Flags [.], ack 1308, win 40960, length 1460
15:53:31.987277 Port1, OUT: IP 10.3.2.2 > 10.245.18.14: ICMP 10.3.201.131 unreachable - need to frag (mtu 1446), length 556
15:53:31.987494 Port1, IN: IP 10.245.18.14.8000 > 10.3.201.131.56698: Flags [.], ack 1308, win 40960, length 1460
15:53:31.987504 Port1, OUT: IP 10.3.2.2 > 10.245.18.14: ICMP 10.3.201.131 unreachable - need to frag (mtu 1446), length 556
15:53:31.987506 Port1, IN: IP 10.245.18.14.8000 > 10.3.201.131.56698: Flags [P.], ack 1308, win 40960, length 1460
15:53:31.987510 Port1, OUT: IP 10.3.2.2 > 10.245.18.14: ICMP 10.3.201.131 unreachable - need to frag (mtu 1446), length 556
15:53:33.118904 Port1, IN: IP 10.245.18.14.8000 > 10.3.201.131.56698: Flags [.], ack 1308, win 40960, length 1460
15:53:33.118929 Port1, OUT: IP 10.3.2.2 > 10.245.18.14: ICMP 10.3.201.131 unreachable - need to frag (mtu 1446), length 556
15:53:35.388879 Port1, IN: IP 10.245.18.14.8000 > 10.3.201.131.56698: Flags [.], ack 1308, win 40960, length 1460
15:53:35.388907 Port1, OUT: IP 10.3.2.2 > 10.245.18.14: ICMP 10.3.201.131 unreachable - need to frag (mtu 1446), length 556
15:53:39.908930 Port1, IN: IP 10.245.18.14.8000 > 10.3.201.131.56698: Flags [.], ack 1308, win 40960, length 1460
15:53:39.908947 Port1, OUT: IP 10.3.2.2 > 10.245.18.14: ICMP 10.3.201.131 unreachable - need to frag (mtu 1446), length 556
15:53:48.928974 Port1, IN: IP 10.245.18.14.8000 > 10.3.201.131.56698: Flags [.], ack 1308, win 40960, length 1460
15:53:48.928989 Port1, OUT: IP 10.3.2.2 > 10.245.18.14: ICMP 10.3.201.131 unreachable - need to frag (mtu 1446), length 556
15:54:06.948980 Port1, IN: IP 10.245.18.14.8000 > 10.3.201.131.56698: Flags [.], ack 1308, win 40960, length 1460
15:54:06.948994 Port1, OUT: IP 10.3.2.2 > 10.245.18.14: ICMP 10.3.201.131 unreachable - need to frag (mtu 1446), length 556
15:54:42.969089 Port1, IN: IP 10.245.18.14.8000 > 10.3.201.131.56698: Flags [.], ack 1308, win 40960, length 1460
15:54:42.969103 Port1, OUT: IP 10.3.2.2 > 10.245.18.14: ICMP 10.3.201.131 unreachable - need to frag (mtu 1446), length 556
15:55:42.989241 Port1, IN: IP 10.245.18.14.8000 > 10.3.201.131.56698: Flags [.], ack 1308, win 40960, length 1460
15:55:42.989266 Port1, OUT: IP 10.3.2.2 > 10.245.18.14: ICMP 10.3.201.131 unreachable - need to frag (mtu 1446), length 556
15:56:43.009465 Port1, IN: IP 10.245.18.14.8000 > 10.3.201.131.56698: Flags [.], ack 1308, win 40960, length 1460
15:56:43.009493 Port1, OUT: IP 10.3.2.2 > 10.245.18.14: ICMP 10.3.201.131 unreachable - need to frag (mtu 1446), length 556
15:57:09.328177 Port1, OUT: IP 10.3.201.131.56698 > 10.245.18.14.8000: Flags [R.], seq 1308, ack 1, win 0, length 0 

I'm not understanding this issue, what's happen?? Anybody can help me?? Why is there ICMP packets with destination unreachable if I can ping the destination from the XG without problems???

The port LAN int the XG Firewall is configured by default (mtu= 1500, mss=1460, no Override MSS).

Thanks a lot in advance.

Regards,

David



This thread was automatically locked due to age.
  • +1

    Hi to all,

    finally I've solved the problem. I explain how I do this for if anybody has the same problem...

    My environment is the next:

    [STORE]------IPSEC------[(WAN) XG FIREWALL (LAN)]-------MPLS------[[SERVER] HQ]


    In my case, I have adjusted the MTU and the MSS to lower values and now is working... By default, the values are: mtu= 1500, mss=1460. I've configured these values to: mtu= 1446 and mss=1406, and now all is running fine...

    I don't know if is the best solution but now all ir working fine, then it's Ok for me.

    Regards

    David

  • 0 in reply to David Babiano Rodriguez

    David,

    From the tcpdump is clear that Mtu was using a different value. By default the value is 1500 but in some cases it is lower or higher (jumbo frame for example).

    Always share the values with ISP is the key to configure them correctly.

    Thanks for sharing your experience.

    Regards