hello, I am not a network guy by training, but a frustrated developer trying to gather some info for our network folks, so please forgive me for any niave'ness on my part.
We have a number of sites whose networks are joined together by NET2NET tunnels. At each site we have an Astaro Firewall/VPN server that is used both for this purpose and also to provide local VPN access for work-at-home users and those that are on the road. We have been having a problem since this setup was put in place where users could not reliably access servers at one site while VPN'd into another (i.e. they can only use the network associated with the site hosting the VPN server even though machines at other sites can be ping'd).
After much research, packet traces, and praying to the network gods, I was able to determine that the issue was related to the "Path MTU Discovery" protocol being disrupted by our Firewalls not correctly responding to large ICMP requests with the do not fragment bit set. This situation is what I believe is called a "black hole router". I am able to work around this issue by setting the RAS MTU on the VPN workstation to a sufficiently low number and then everything starts working. But this seems like an inefficient solution, and quite frankly I don't like the idea of having to hack the MTU's on hundreds of workstations.
I suspect that there is a solution that could be implemented on the firewalls that would eliminate the need to mess with so many workstations and potentially sacrifice network performance down to the lowest common denominator. The network folks have been told that the solution that I suggested of permitting the ICMP packets generated by the PMTUD protocol to be responded to correctly is not supported by Astaro because it would violate some agreement or another (I don't believe this answer for even one second).
What I guess that am looking for is some technical guidance in describing the proper way to permit PMTUD to work for VPN users, and perhaps general words of wisdom regarding using Astaro in this manner in the first place. Any input would be greatly appreciated.
This thread was automatically locked due to age.