Make sure your router interfaces aren't configured with "no icmp
unreachables" make sure any implied rules dealing with ICMP aren't
blocking icmp "packet too big" messages. IPSO isn't path mtu
compliant, but this isn't really the problem. Almost every time this
question is asked, it ends up being solved because ICMP error messages
are blocked somewhere.
Mitchell
--
http://www.securestandard.com/
Directory of Information Security White Papers
> What ICMP codes? Who sends them? The client, the enforcement
module, the
> host behind the enforcement module? Thanks for the help.
>
> -Aaron
>
> -----Original Message-----
> From: "Rodriguez Quintero, Juan Diego, SYNAPSIS Perú"
> [mailto:jrodriguez AT synapsis.com DOT pe]
> Sent: Friday, January 30, 2004 10:06 AM
> To: aaron.reynolds AT FRANKLINCOVEY DOT COM
> Subject: RE: [FW-1] MTU Path Discovery - Not working on NG-AI
>
> Have you checked your router...? you may be blocking some icmp codes
there.
>
>
>
> -----Mensaje original-----
> De: aaron.reynolds AT FRANKLINCOVEY DOT COM
> [mailto:aaron.reynolds AT FRANKLINCOVEY DOT COM]
> Enviado el: Viernes, 30 de Enero de 2004 11:53 a.m.
> Para: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Asunto: [FW-1] MTU Path Discovery - Not working on NG-AI
>
>
> We use R54 Build 132 clients, against a R54 gateway (no HFA's)/ IPSO
3.7
> Build 23. I have read several threads where people say MTU should
not be an
> issue with SecuRemote on NG-AI, yet we continually have users that
have to
> run MTUAdjust, in order to connect to certain apps through the VPN.
Could
> we be blocking something, so MTU Path Discovery cannot work
properly? Just
> trying to kill one more mystery. Any help would be greatly
appreciated.
>
>
>
> -Aaron
>
>
>
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
>
--
Mitchell Rowton
CISSP, CCNP, CCDP, CCSA, NSA-IAM, Security+, Network+
Attack Prevention - http://www.attackprevention.com/
Information Security News - Articles - WhitePapers - Policies
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
