[c-nsp] cisco nat breaks sonicwall
Peter Rathlev
peter at rathlev.dk
Thu Feb 17 10:33:13 EST 2011
On Thu, 2011-02-17 at 10:00 -0500, Adam Greene wrote:
> Thanks for your advice. We have "ip mtu 1404" on all interfaces, but I
> suspect that is not sufficient. I will look into "ip tcp adjust-mss
> 1360" to understand what it does (besides specifying a lower MTU) that
> "ip mtu" does not, and try it out.
The command "ip mtu N" instructs the device to not send packets bigger
than N bytes out this interface. (You might prefer "mtu N" instead, but
that's another discussion.)
If the client set the DF (Don't Fragment) bit in the packet, the router
avoids fragmenting the packet and instead drops it and sends an ICMP
"freagmentation needed" (type 3 code 4) packet back to the client. In a
perfect world this ICMP packet reaches that client, and the client
respects the new MTU for this destination. This often doesn't work, not
least because overzealous "security specialists" discard these ICMP
packets.
The command "ip tcp adjust-mss N" modifies TCP SYN packets so the TCP
MSS is "clamped" to N bytes. Since the two end-points choose the lower
of their two offered TCP MSS values (each end sends it's own TCP MSS
proposal) they will now choose what the router says instead.
Beware that adjusting MSS will not help non-TCP connections.
--
Peter
More information about the cisco-nsp
mailing list