[c-nsp] IPSEC + TFTP don't work

Damian Holdcroft damian.holdcroft at gmail.com
Fri Apr 6 02:56:28 EDT 2012


This is a common problem caused by the TFTP program/PXE chip being unable
to reassemble fragmented packets, as I think others may have mentioned.

Depending on the PXE boot server you're using, you can generally set the
maximum size for TFTP packets. I know SCCM can, as a registry entry, but
unsure about others.

HTH



On Fri, Apr 6, 2012 at 2:53 PM, Victor Sudakov <vas at mpeks.tomsk.su> wrote:

> Randy wrote:
> > > >
> > > > Try setting the MTU on the ethernet on the TFTP server to 1400 or so
> > > > rather than 1500.  That oughta fix the problem, assuming that the
> tftp
> > > > server software is sanely written.  If it were TCP (tftpboot is of
> > > > course udp) that would DTRT.
> > >
> > > Actually I have tried something like
> > >
> > > route add -net $protected_net -mtu 1300 $ipsec_gateway
> > >
> > > on the TFTP server and it did not help. I think the TFTP
> > > server just
> > > sends its packets as requested by the client and does not
> > > care if the
> > > MTU is small.
> >
> >
> > What you tried, wouldn't work because TFTP is UDP and the mtu size
> > is decided by application in question; unlike TCP.
>
> Therefore I thought that the above advice ("try setting the MTU on the
> ethernet") would not work either.
>
> >
> > Instead of mucking with individual-interface mtu sizes on you server,
> How about you do the following:
> >
> > 1) account for the encap(if any, like GRE) and ipsec overhead and
> > drop you ip mtu size to a value that works.
>
> Could you please be more specific. Where do I drop the ip mtu size? If
> the TFTP server has already sent a large packet, what do I do about
> it?
>
> > 2) Ensure icmp type-3 code-4 messages are allowed between router and
> > backend server-on-lan.
>
> Any traffic is allowed, it's a lab test so far.
>
> BTW I have found out two things:
>
> 1. The TFTP traffic indeed does arrive fragmented to the NIC, see
> http://zalil.ru/33025296
>
> 2. I have found a NIC which can handle fragmentation and does work in
> this setup. It's a Broadcom BCM5709C NetXtreme II GigE, perhaps it has
> an advanced IP stack.
>
>
> --
> Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
> sip:sudakov at sibptus.tomsk.ru
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list