Sent only to Mathias first time. Oops. ---------- Forwarded message ---------- From: Janne Johansson <icepic...@gmail.com> List-Post: openvpn-devel@lists.sourceforge.net Date: 2005-okt-20 12:42 Subject: Re: [Openvpn-devel] Bug report (long) - OpenVPN dropping small frames To: Mathias Sundman <math...@openvpn.se>
2005/10/20, Mathias Sundman <math...@openvpn.se>: > On Wed, 19 Oct 2005, Mike Ireton wrote: > > > Suspeciously, I also have been observing an excessive number of ICMP "Frag > > reassembly time exceeded" messages coming from this openvpn client --8<-- > > I have a good test case right now. If I ping with 1393 bytes or more of > > data, it doesn't work reliably. Whereas if I ping with 1392 bytes, it does > > work reliably and without loss. Here is an example: --8<-- > If that solves your problem, it would still be nice to understand if the > cause were due to a broken router, or if there really is a bug > somewhere... Actually, this is exactly what I saw in the early days of openvpn, when putting the traffic through an openbsd-PF gateway while using linux clients in one or both ends of openvpn. Since Linux hosts sends fragments with the "dont-fragment" bit set*, (supposedly to investigate MTU) the firewall will detect a fragmented packet that has requested not to be fragmented (DF) and drops it. In my case, the openbsd gw was under my control, so I could figure out that it was the "scrub" option in PF that followed this kind of rule, and remove it at first. Later I decided that this would only work until someone was behind another PF-scrubbing host and instead lowered the MTU of the openvpn traffic instead (or the tun-device, cant remember what options I used then), and always got the large packets through. Give it a try to lower the MTU and see if it helps. *) As a sidenote, I think PF does the right thing, regardless of how useful PMTU seems to be, a packet that requests not to be fragmented and indeed arrives as a fragment should be removed by my firewall, since one of its purposes is to make sure weird stuff dont get into my network. -- Some mornings, it's just not worth gnawing through the straps... -- Some mornings, it's just not worth gnawing through the straps...
