[outages] HE IPv6 tunnel PMTU issues with juniper.net

joel jaeggli joelja at bogus.com
Wed Oct 1 13:59:18 EDT 2014


On 10/1/14 10:21 AM, Owen DeLong wrote:
> Actually, given the nature of browsers these days, it is not at all
> unlikely that your request to the Juniper web server contains 1280+
> octets of HTTP header data and thus is the largest packet. I think if
> you investigate further you will find that most flows stall at the
> point of a TCP packet larger than N octets payload hitting the
> Juniper from the LAN side and being small enough that it doesn't
> generate a PTB message, so it gets silently dropped.

if it's not generating a ptb on the tunnel ingress it's kinda broken.

> At least that's what happened in my environment before I reduced the
> tcp-mss as described in my earlier message.
> 
> And to Warren, yes, not fragmenting in the network _IS_ actually
> better.
> 
> Owen
> 
> On Oct 1, 2014, at 09:30 , Chuck Anderson via Outages
> <outages at outages.org> wrote:
> 
>> On Wed, Oct 01, 2014 at 08:14:52AM -0700, joel jaeggli via Outages
>> wrote:
>>> On 10/1/14 6:50 AM, Chuck Anderson via Outages wrote:
>>>> While on my Hurricane Electric IPv6 tunnel, I cannot access 
>>>> juniper.net unless I change my local interface MTU.  1500
>>>> fails, but 1280 works.  I noticed this a few days ago.  Before
>>>> that I had no problems with a 1500 MTU.  Is anyone else seeing
>>>> this issue?
>>> 
>>> The MTU of your tunnel is lower than 1500.
>>> 
>>> Chances are the service on the other end isn't able to recieve
>>> pmtud messages because it's load-balanced... and the first packet
>>> that triggers that (ptb) is sent towards your tunnel ingress.
>> 
>> Chances are the first large packet is from the server end, not my 
>> client end. 

yes ssl server for example is a good way to stimulate that.

>  So if www.juniper.net sends a 1500-byte packet, it
>> should arrive at the HE.net tunnel router and that router should
>> send a PTB back to the server.  Are you saying the PTB might not be
>> received by the server because it is behind a load-balancer?

or behind a layer-3 ecmp hash in which case it may not be getting back
to the machine which has the layer 3 flow terminated.

>> Shouldn't the load-balancer handle the PTB directly in that case
>> since it terminates the TCP connection? 

if the right device receives it then yes.

https://tools.ietf.org/html/draft-jaeggli-v6ops-pmtud-ecmp-problem-01

>> _______________________________________________ Outages mailing
>> list Outages at outages.org 
>> https://puck.nether.net/mailman/listinfo/outages
> 
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 243 bytes
Desc: OpenPGP digital signature
URL: <https://puck.nether.net/pipermail/outages/attachments/20141001/a0fdc99d/attachment.sig>


More information about the Outages mailing list