We have discovered that when client sends full IP packet and firewall
fragments this packets due to the fact that packet size increases after
the ipsec encapsulation. We want that clients knows that (with the help
of the firewall) and firewall rejects the packet before encapsulating
into the ipsec and clients resends this packet with a smaller size so it
fits in one ipsec packets.
This fragmentatrion causes if one fragment is lost and firewall request
the whole packets back and also fragmentation and reassembiling eats
from the CPU. Is there a way to do what we want...so that the client
knows exactly how big the ip packet should and firewall do not need to
fragment it...
I am not sure whether I explaned the problem correctly but if you
require any moer info I am ready to provide. Thanks
***********************************************************
Cihan SUBASI
Garanti Technology
Internet ve Yazilim Hizmetleri
Tel:(90)(212)4783426 GSM:(90)(533)(2750353)
Fax:(90)(212)6576150
http://www.garantitechnology.com <http://www.garantitechnology.com/>
mailto:cihans AT garanti.com DOT tr
Success is a wonderful thing, but never underestimate the value of
failure. Failure teaches many more things than success ever can.
***********************************************************
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
