Hi.
When this kind of problem is detected, TCP implementation should send an
ICMP "Needed to fragment" packet in order to use a lower MTU - 1366 is a
typical value.
In some cases, if you are using NAT, it is possible that the ICPM Needed To
Fragment packet would not reach its destination. Then, you may select a
lower value of MTU on your clients if its possible.
Esteban Serrano
-----Mensaje original-----
De: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] En nombre de Cihan
Subasi (Garanti Teknoloji) [CihanS AT GARANTI.COM DOT TR]
Enviado el: jueves, 27 de octubre de 2005 9:43
Para: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Asunto: [FW-1] Fragemnting packets after IPSEC....
We have discovered that when client sends full IP packet and firewall
fragments this packets due to the fact that packet size increases after the
ipsec encapsulation. We want that clients knows that (with the help of the
firewall) and firewall rejects the packet before encapsulating into the
ipsec and clients resends this packet with a smaller size so it fits in one
ipsec packets.
This fragmentatrion causes if one fragment is lost and firewall request the
whole packets back and also fragmentation and reassembiling eats from the
CPU. Is there a way to do what we want...so that the client knows exactly
how big the ip packet should and firewall do not need to fragment it...
I am not sure whether I explaned the problem correctly but if you require
any moer info I am ready to provide. Thanks
***********************************************************
Cihan SUBASI
Garanti Technology
Internet ve Yazilim Hizmetleri
Tel:(90)(212)4783426 GSM:(90)(533)(2750353) Fax:(90)(212)6576150
http://www.garantitechnology.com <http://www.garantitechnology.com/>
mailto:cihans AT garanti.com DOT tr
Success is a wonderful thing, but never underestimate the value of failure.
Failure teaches many more things than success ever can.
***********************************************************
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
