On Sun, Mar 17, 2019 at 11:37:55PM +0000, Bram Yvahk wrote: > We've experienced an issue with VTI when the path-mtu is smaller than the size > of the "client" packet. > > What happens: IPv4 packet from the client (i.e. another system in the LAN) > attempts to transmit some data; IPv4 header shows that 'DF' bit is not set but > still the client receives ICMPv4 "need-to-frag" message [which the client does > not expect and ignores]. > > Example: $ ping -s 1300 -M dont -c5 192.168.235.2 > PING 192.168.235.3 (192.168.235.3) 1300(1328) bytes of data. > From 192.168.236.254 icmp_seq=1 Frag needed and DF set (mtu = 1214) > From 192.168.236.254 icmp_seq=2 Frag needed and DF set (mtu = 1214) > From 192.168.236.254 icmp_seq=3 Frag needed and DF set (mtu = 1214) > From 192.168.236.254 icmp_seq=4 Frag needed and DF set (mtu = 1214) > From 192.168.236.254 icmp_seq=5 Frag needed and DF set (mtu = 1214) > > --- 192.168.235.3 ping statistics --- > 5 packets transmitted, 0 received, +5 errors, 100% packet loss, time > 3999ms
Hm, this works here. Can you show how you setup the vti device? Some tunnel configuration options (set ttl etc.) force to have the DF bit set.
