I forgot to tell that I don't have any firewall rule on the ssh server, and net.inet.tcp.path_mtu_discovery is set to 1. A few more questions : - Why does ssh set the Dont-Fragment bit ? This is maybe usual in today TCP/IP communications, as Path MTU Discovery slowly replaced fragmentation.
TCP always sets don't frag: /* * If we do path MTU discovery, then we set DF on every packet. * This might not be the best thing to do according to RFC3390 * Section 2. However the tcp hostcache migitates the problem * so it affects only the first tcp connection with a host. */ if (path_mtu_discovery) ip->ip_off |= IP_DF; You can turn it off via this sysctl: int path_mtu_discovery = 1; SYSCTL_INT(_net_inet_tcp, OID_AUTO, path_mtu_discovery, CTLFLAG_RW, &path_mtu_discovery, 1, "Enable Path MTU Discovery");
- Why does Path MTU Discovery doesn't work here ? I'm pretty sure that the ICMP Need-To-Frag packets are not filtered since I am able to see them outgoing from the Ethernet network card on the RELENG_4 router.
Does SSH use IPSEC AH ? Just guessing here, but maybe the problems is (from icmp_input()): /* * XXX if the packet contains [IPv4 AH TCP], we can't make a * notification to TCP layer. */ ctlfunc = inetsw[ip_protox[icp->icmp_ip.ip_p]].pr_ctlinput; if (ctlfunc) (*ctlfunc)(code, (struct sockaddr *)&icmpsrc, (void *)&icp->icmp_ip); -- Dave Baukus [EMAIL PROTECTED] Chiaro Networks Ltd. Richardson, Texas USA _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"