> On 26 Feb 2023, at 12:07, Victor Gamov <vits...@gmail.com> wrote:
>
> Hi All
>
> I have following scheme:
> - LAN segment 10.5.8.0/24 with router1 (10.5.8.1) and MTU=1500
> - two hosts at LAN segment host21 (10.5.8.21) and host22 (10.5.8.22)
> - host21 and host22 has VIP=172.16.110.30 configured as LAN-interface alias
> - host21 and host22 ha BGP peering with router1 and announce VIP to router1
> - hostX somewhere at intranet
> - ipsec-tunnel with MTU=1400
>
> ECMP works fine and traffic from other segments to VIP is balanced between
> host21+host22 by router1.
>
> The problem is:
> when host21 and/or host22 send large packet with DF-bit using VIP as source
> then ipsec-router sends ICMP "Fragmentation needed" and then this ICMP is
> _always_ sent to only host22 by router1.
>
> I think it may be hard or impossible to find proper VIP-owner to send this
> ICMP. Is it possible to propagate such ICMP to all VIP-owners in router1
> routing-table? Or may some data from ICMP message be used to properly
> calculate ECMP-hash to find a real VIP-owner which must receive this ICMP?
Generally it’s pretty hard to do. The path may go through the multiple routers
which has it own hash calculation + seed to avoid the traffic polarisation.
Personally I’d suggest doing some sort of ICMP replication on either the source
node or the hosts.
>
>
> Thanks!th
>
>
> --
> CU,
> Victor Gamov
