[c-nsp] cisco nat breaks sonicwall
Adam Greene
maillist at webjogger.net
Fri Feb 18 11:36:57 EST 2011
Thanks, Peter, that's exactly what I needed to know. We will be testing
on Monday, and I will post results here.
Thanks again,
Adam
On 2/17/2011 10:33 AM, Peter Rathlev wrote:
> On Thu, 2011-02-17 at 10:00 -0500, Adam Greene wrote:
>> Thanks for your advice. We have "ip mtu 1404" on all interfaces, but I
>> suspect that is not sufficient. I will look into "ip tcp adjust-mss
>> 1360" to understand what it does (besides specifying a lower MTU) that
>> "ip mtu" does not, and try it out.
> The command "ip mtu N" instructs the device to not send packets bigger
> than N bytes out this interface. (You might prefer "mtu N" instead, but
> that's another discussion.)
>
> If the client set the DF (Don't Fragment) bit in the packet, the router
> avoids fragmenting the packet and instead drops it and sends an ICMP
> "freagmentation needed" (type 3 code 4) packet back to the client. In a
> perfect world this ICMP packet reaches that client, and the client
> respects the new MTU for this destination. This often doesn't work, not
> least because overzealous "security specialists" discard these ICMP
> packets.
>
> The command "ip tcp adjust-mss N" modifies TCP SYN packets so the TCP
> MSS is "clamped" to N bytes. Since the two end-points choose the lower
> of their two offered TCP MSS values (each end sends it's own TCP MSS
> proposal) they will now choose what the router says instead.
>
> Beware that adjusting MSS will not help non-TCP connections.
>
More information about the cisco-nsp
mailing list