Re: [Openvpn-users] bug report + Link MTU - openvpn sending too large frames?

[James Yonan <jim@xxxxxxxxx>]

On Fri, 7 Jan 2005, Mike Ireton wrote:

> 
> I'm using OpenVPN (tls server mode, 2.0_rc6), on my wireless network to tunnel
> layer2 and it's a great help. One problem I've noticed however has to do with
> fragementation - it appears that openvpn is trying to send frames that are too
> big - up to 1509 bytes in fact - and this is causing excess fragementation on
> the endpoints which in turn means that sometimes, these large packets can be
> reconstructed, leading to some (minor) packet loss and general ineffeciancies.
> This also seems to cause some errors which openvpn notes in the logs. Here's
> some tcpdump output:
> 
> 21:18:59.916433 x.x.x0.39.5000 > x.x.x1.52.1048:  udp 1509 (frag 41382:1480@0+)
> 21:18:59.921593 x.x.x0.39.5000 > x.x.x1.52.1048:  udp 1509 (frag 41383:1480@0+)
> 21:18:59.976583 x.x.x0.39.5000 > x.x.x1.52.1048:  udp 1509 (frag 41384:1480@0+)
> 21:18:59.981257 x.x.x0.39.5000 > x.x.x1.52.1048:  udp 1509 (frag 41385:1480@0+)
> 21:18:59.988882 x.x.x0.39.5000 > x.x.x1.52.1048:  udp 1509 (frag 41386:1480@0+)
> 21:19:00.034423 x.x.x0.39.5000 > x.x.x1.52.1048:  udp 1509 (frag 41387:1480@0+)
> 21:19:13.101311 x.x.x0.39.5000 > x.x.x0.203.1026:  udp 1485 (frag 3973:1480@0+)
> 21:19:13.164115 x.x.x0.203.1026 > x.x.x0.39.5000:  udp 1485 (frag 42823:1480@0+
> 21:19:22.646307 x.x.x0.39.5000 > x.x.x1.52.1048:  udp 1509 (frag 41388:1480@0+)
> 21:19:22.925918 x.x.x0.39.5000 > x.x.x1.52.1048:  udp 1509 (frag 41389:1480@0+)
> 21:19:22.955140 x.x.x0.39.5000 > x.x.x1.52.1048:  udp 1509 (frag 41390:1480@0+)
> 21:19:22.956032 x.x.x0.39.5000 > x.x.x1.52.1048:  udp 1509 (frag 41391:1480@0+)
> 21:19:23.001567 x.x.x0.39.5000 > x.x.x1.52.1048:  udp 1509 (frag 41392:1480@0+)
> 21:19:23.256498 x.x.x0.39.5000 > x.x.x1.52.1048:  udp 1509 (frag 41393:1480@0+)
> 21:19:23.289358 x.x.x0.39.5000 > x.x.x1.52.1048:  udp 1509 (frag 41394:1480@0+)
> 21:19:23.343334 x.x.x1.52.1048 > x.x.x0.39.5000:  udp 1509 (frag 58266:1480@0+)

Try a lower --mssfix value to avoid the fragmentation, and/or use 
--fragment.

> ALSO, openvpn will log messages like "read UDPv4 [EHOSTUNREACH]: No route to
> host (code=113)". but this is in response to icmp messages 'ip reassembly time
> exceeded'. I know this because I did tcpdump and tail -f my syslog on the same
> machine and noted this (note the times match):

OpenVPN is only reporting the message it gets from the kernel.

> (from syslog)
> Jan  6 22:37:45 l2server daemon.err openvpn[16622]: read UDPv4
> [EHOSTUNREACH]: No route to host (code=113)
> Jan  6 22:37:55 l2server daemon.err openvpn[16622]: read UDPv4
> [EHOSTUNREACH]: No route to host (code=113)
> 
> (from tcpdump)
> 22:37:45.830753 IP x.x.x.203 > x.x.x.39: icmp 556: ip reassembly
> time exceeded
> 22:37:55.133030 IP x.x.x.203 > x.x.x.39: icmp 556: ip reassembly
> time exceeded
> 
> This had been bugging me for a long time.
> 
> 
> Also - why when I use the mtu-test option do I get these strange results?
> 
> Jan  6 21:06:02 tower3 daemon.notice openvpn[18846]: NOTE: Empirical MTU test
> completed [Tried,Actual] local->remote=[1605,1605] remote->local=[1605,1605]

All this means is that a UDP packet size of 1605 was successfully sent 
and received.

You can use --mtu-disc to control whether or not packet fragmentation is 
enabled for the test.

James



-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users