tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

FAST_IPSEC not sending ICMP frag needed? (was Re: FAST_IPSEC(?) drops packets?)

On 2/26/2011 6:36 AM, Matthias Drochner wrote:
So is the CANTFRAG number counting in "netstat -pip"?
Shouldn't the encapsulation code send NEEDFRAG ICMPs
then? Do you observe any? Perhaps this part doesn't
work correctly in FAST_IPSEC...
Yes, I do see "datagrams that can't be fragmented" increase in "netstat -pip". However, I don't see the router sending any ICMP fragmentation needed packets back.

BTW, changing net.inet.ipsec.dfbit to 0 does work around the problem (but causes fragmentation).

Home | Main Index | Thread Index | Old Index