Hi Darren,
Just want to say thank you. You helped solve a problem thats been
hounding me for a while now. It was in fact the smartdefence, but it was
the number of fragmented packets allowed in a certain timespan.
The problem was that I don't have access to the device and thus had to
troubleshoot at one end of the connection until I was pretty sure it was
the other side. Thats a crappy position to be in. Your help, coupled
with the fact that I could see the pings arriving at the OpenBSD server
and the response being sent out pointed to a problem on the other end.
Now I just have to figure out why Path MTU discovery isn't working, but
thats minor at this point.
I'd love to send you a pizza of your choice. Please drop me an email and
it'll be done. I'm serious. I'm SO relieved.
Thanks,
Tim
Darren Spruell wrote:
On 2/19/07, Tim Pushor <[EMAIL PROTECTED]> wrote:
Hi all,
I'm getting to the point where I don't really know where to turn. I am
having a weird problem with an OpenBSD server/firewall that has a
permament IPSec tunnel to a checkpoint embedded security device. The
problem is, that half the time large packets can't get through. I've
trial and error'ed (via windows ping -l) that ping packets 1306 bytes
get through all the time, while packets > 1306 (even 1307) only get
through half the time. Not half the time like 50% loss, but like it
works for hours, then doesn't for 10 minutes.
If that Check Point device has SmartDefense enabled, it has rules that
futz with ICMP packets larger than some threshold. See if you have any
of that mojo going on.
DS
