[outages] HE IPv6 tunnel PMTU issues with juniper.net
joel jaeggli
joelja at bogus.com
Wed Oct 1 13:59:18 EDT 2014
On 10/1/14 10:21 AM, Owen DeLong wrote:
> Actually, given the nature of browsers these days, it is not at all
> unlikely that your request to the Juniper web server contains 1280+
> octets of HTTP header data and thus is the largest packet. I think if
> you investigate further you will find that most flows stall at the
> point of a TCP packet larger than N octets payload hitting the
> Juniper from the LAN side and being small enough that it doesn't
> generate a PTB message, so it gets silently dropped.
if it's not generating a ptb on the tunnel ingress it's kinda broken.
> At least that's what happened in my environment before I reduced the
> tcp-mss as described in my earlier message.
>
> And to Warren, yes, not fragmenting in the network _IS_ actually
> better.
>
> Owen
>
> On Oct 1, 2014, at 09:30 , Chuck Anderson via Outages
> <outages at outages.org> wrote:
>
>> On Wed, Oct 01, 2014 at 08:14:52AM -0700, joel jaeggli via Outages
>> wrote:
>>> On 10/1/14 6:50 AM, Chuck Anderson via Outages wrote:
>>>> While on my Hurricane Electric IPv6 tunnel, I cannot access
>>>> juniper.net unless I change my local interface MTU. 1500
>>>> fails, but 1280 works. I noticed this a few days ago. Before
>>>> that I had no problems with a 1500 MTU. Is anyone else seeing
>>>> this issue?
>>>
>>> The MTU of your tunnel is lower than 1500.
>>>
>>> Chances are the service on the other end isn't able to recieve
>>> pmtud messages because it's load-balanced... and the first packet
>>> that triggers that (ptb) is sent towards your tunnel ingress.
>>
>> Chances are the first large packet is from the server end, not my
>> client end.
yes ssl server for example is a good way to stimulate that.
> So if www.juniper.net sends a 1500-byte packet, it
>> should arrive at the HE.net tunnel router and that router should
>> send a PTB back to the server. Are you saying the PTB might not be
>> received by the server because it is behind a load-balancer?
or behind a layer-3 ecmp hash in which case it may not be getting back
to the machine which has the layer 3 flow terminated.
>> Shouldn't the load-balancer handle the PTB directly in that case
>> since it terminates the TCP connection?
if the right device receives it then yes.
https://tools.ietf.org/html/draft-jaeggli-v6ops-pmtud-ecmp-problem-01
>> _______________________________________________ Outages mailing
>> list Outages at outages.org
>> https://puck.nether.net/mailman/listinfo/outages
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 243 bytes
Desc: OpenPGP digital signature
URL: <https://puck.nether.net/pipermail/outages/attachments/20141001/a0fdc99d/attachment.sig>
More information about the Outages
mailing list