[c-nsp] IPSEC + TFTP don't work

Victor Sudakov vas at mpeks.tomsk.su
Fri Apr 6 00:53:44 EDT 2012


Randy wrote:
> > > 
> > > Try setting the MTU on the ethernet on the TFTP server to 1400 or so
> > > rather than 1500.  That oughta fix the problem, assuming that the tftp
> > > server software is sanely written.  If it were TCP (tftpboot is of
> > > course udp) that would DTRT.
> > 
> > Actually I have tried something like 
> > 
> > route add -net $protected_net -mtu 1300 $ipsec_gateway
> > 
> > on the TFTP server and it did not help. I think the TFTP
> > server just
> > sends its packets as requested by the client and does not
> > care if the
> > MTU is small.
> 
> 
> What you tried, wouldn't work because TFTP is UDP and the mtu size
> is decided by application in question; unlike TCP.

Therefore I thought that the above advice ("try setting the MTU on the
ethernet") would not work either.

> 
> Instead of mucking with individual-interface mtu sizes on you server, How about you do the following:
> 
> 1) account for the encap(if any, like GRE) and ipsec overhead and
> drop you ip mtu size to a value that works.

Could you please be more specific. Where do I drop the ip mtu size? If
the TFTP server has already sent a large packet, what do I do about
it?

> 2) Ensure icmp type-3 code-4 messages are allowed between router and
> backend server-on-lan.

Any traffic is allowed, it's a lab test so far.

BTW I have found out two things:

1. The TFTP traffic indeed does arrive fragmented to the NIC, see
http://zalil.ru/33025296

2. I have found a NIC which can handle fragmentation and does work in
this setup. It's a Broadcom BCM5709C NetXtreme II GigE, perhaps it has
an advanced IP stack.


-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru


More information about the cisco-nsp mailing list