Subject: Re: packet loss? w/ 1.6[A-D] & IPSEC policy
To: None <firstname.lastname@example.org>
From: Kimmo Suominen <email@example.com>
Date: 07/23/2002 07:42:29
I don't think this is very likely, because it worked just fine before
the upgrade of NetBSD. It would be quite a coincidence that someone
broke a router exactly at the same time.
Also, PMTUD works ok if IPsec is disabled.
The combination of PMTUD and IPsec (or PMTUD, IPsec and gif-tunnel) is
the problem. Without IPsec you can also use PMTUD and gif just fine.
And all combinations worked before NetBSD 1.6A.
| From: firstname.lastname@example.org
| Date: Tue, 23 Jul 2002 13:48:39 +0900
| >> Yes, this could well be related to the ep driver issues discussed earlier.
| >Well, it is not. I don't know what I was thinking/doing when I "checked"
| >that the problem was asymmetric. Here is the countdown of the facts:
| > - without IPSEC I can transfer bytes in both directions normally
| > - with IPSEC enabled transfers to either direction fail for
| > bigger packets (one end has ep0, the other has ex0); ie. packets
| > that grow over MTU size due to IPSEC overhead
| > - with IPSEC policies, but Path MTU Discovery disabled
| > (sysctl -w net.inet.ip.mtudisc=0) problems disappear
| >So, my problem is solved. In case others have similar problems:
| > - is the above expected behavior?
| > - how should I have learned about it in advance?
| > - should it be documented better?
| i think, between your nodes, there's some router which is discarding
| icmp need fragment message (= generic PMTUD blackhole problem).