[c-nsp] 7206 pppoe concentrator and vpn issues

[Code Monkey]

On 8/17/05, Alain Cocconi <cocconi at canl.net> wrote:
> Hello,
>
> I'm terminating 2000 pppoe connexions using a 7206 NPE-G1, all is ok except
> some customers who have problems with vpn and games like World of
> Wordcraft. It seems that Checkpoint's vpn only have problems (I'm not sure
> about this). Checkpoint says it is like a mtu/mss problem, but I've check
> all and I can not see any issue in my config, if someone has idea about
> this , thanks.

On a 7206 12.2 T, I've seen problems with the ICMP packets saying
"packet too big and DF set".

The too big packets come in from Internet, they don't fit into the
pppoe tunnel, the ICMP is generated correctly... and routed down the
pppoe link instead of back to the originator. I suppose the IOS code
had already set the output interface, or something like that.

If the CPE routes the packet out again, you won't detect a problem,
but (too-)smart (firewalling and/or antispoofing) CPEs will drop the
packets, breaking PMTUD.

I twigged to this when I had PMTUD problems, couldn't understand why I
got ICMP must fragment for certain clients and not for others, managed
to find one misbehaving link with a firewall I could configure myself,
and enabled "really-full" logging on it.

Couldn't find a Cisco bug ID specifically for that, ISTR there were
some about the must fragment not being generated.

HTH