I had the same problem and had to add the following to the linux firewall:
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j
CPMSS --clamp-mss-to-pmtu
Barry
----- Original Message -----
From: "Jonathan Brewer"
Hi Folks,
I've recently come up against the issue of some ISP routers in New Zealand which block ICMP. This creates an issue for some of our clients, who we deliver service to via GRE tunnels over a multi-hop wireless network.
The issue is defined in RFC 2923, quoted below.
My question for the list is, what are the known PMTUD "black holes" in New Zealand? Is there anyone out there unwilling to allow ICMP into their network? How do we make sure Path MTU Discovery works to all endpoints within NZ?
Thanks, and regards,
Jonathan Brewer Araneo Wireless Solutions
From RFC 2923:
"A host performs Path MTU Discovery by sending out as large a packet as possible, with the Don't Fragment (DF) bit set in the IP header. If the packet is too large for a router to forward on to a particular link, the router must send an ICMP Destination Unreachable -- Fragmentation Needed message to the source address. The host then adjusts the packet size based on the ICMP message.
As was pointed out in [RFC1435], routers don't always do this correctly -- many routers fail to send the ICMP messages, for a variety of reasons ranging from kernel bugs to configuration problems. Firewalls are often misconfigured to suppress all ICMP messages. IPsec [RFC2401] and IP-in-IP [RFC2003] tunnels shouldn't cause these sorts of problems, if the implementations follow the advice in the appropriate documents.
PMTUD, as documented in [RFC1191], fails when the appropriate ICMP messages are not received by the originating host. The upper-layer protocol continues to try to send large packets and, without the ICMP messages, never discovers that it needs to reduce the size of those packets. Its packets are disappearing into a PMTUD black hole."
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog