Hi, one of my OpenBSD 4.6 boxen starts sending out "need to fragment" messages to other hosts, w/o me seeing the reason.
# pfctl -s a |grep mss # ifconfig|grep mtu|grep -v 1500 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33152 enc0: flags=41<UP,RUNNING> mtu 1536 pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33152 # And that's it... IOW: There are only physical interfaces with an MTU of 1500 bytes present, and there are no mss-meddling packet filter rules present. Nevertheless, the machine started to send out random fragmentation messages to ever more hosts around the internet, resulting in more and more websites becoming inaccessible. Sample message from tcpdump: 19:03:59.805030 1.2.3.4 > 5.6.7.8: icmp: 1.2.3.20 unreachable - need to frag (mtu 1420) for 5.6.7.8.80 > 1.2.3.20.59495: 2079874237 [|tcp] (DF) (ttl 243, id 22121, len 1500) (ttl 255, id 23060, len 56) The machine in question serves as a firewall, and it can (did) happen that eg. one machine in the DMZ can access a certain foreign host, while some other can't access the same foreign host. The only consistency to be observed is that connectivity gradually deteriorates, so that eventually, no machine in the DMZ can access a certain host, while the number of inaccessible foreign hosts steadily increases. The machine runs OpenBSD 4.6-stable/amd64. What gives? Kind regards, --Toni++
