[OpenVPN home]	[Date Prev]	[Date Index]	[Date Next]
[OpenVPN mailing lists]	[Thread Prev]	[Thread Index]	[Thread Next]

Re: [Openvpn-users] Windows client, mysterious routes and MTU issues

Subject: Re: [Openvpn-users] Windows client, mysterious routes and MTU issues
From: "jsullivan@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx" <jsullivan@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 06 Feb 2006 12:31:07 -0500
Priority: normal

----- Original Message Follows -----
From: Erich Titl <erich.titl@xxxxxxxx>
To: "John A. Sullivan III" <jsullivan@xxxxxxxxxxxxxxxxxxx>
Cc: OpenVPN Users <Openvpn-users@xxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [Openvpn-users] Windows client, mysterious
routes and MTU issues
Date: Mon, 06 Feb 2006 16:46:32 +0000

> John
> 
> sorry to follow up that quickly
> 
> John A. Sullivan III wrote:
> ..
> 
> > <snip>
> ..
> 
> > 
> > Then the OpenVPN server replies saying the MTU is 0:
> >     Type: 3 (Destination unreachable)
> >     Code: 4 (Fragmentation needed)
> >     Checksum: 0x133e [correct]
> >     MTU of next hop: 0
> 
> I looked up the ICMP RFC (792 FYI)
> 
> 
>       Another case is when a datagram must be fragmented
> to be forwarded
>       by a gateway yet the Don't Fragment flag is on.  In
> this case the
>       gateway must discard the datagram and may return a
> destination
>       unreachable message.
> 
> It does not appear to mention a MTU size field so your MTU
> next hop field may be bogus, It is probably just data in
> the ICMP packet and belongs probably to PMTU discovery.
> 
> All this smells awfully like a PMTUD Problem.
> 
> cheers
> 
> Erich 
Thanks, Erich; I really appreciate your digging into this. 
However, that doesn't explain why the ping works (thus there
is not real MTU problem - just a perceived one) and why the
MTU shuts down to 576 rather than using the MSS size
returned by the destination ACK packet.

I'm still testing but it does look like it has something to
do with the ipsec tunnels.  I've just set up the test lab to
be somewhat duplicate.  So far, I do not see the MTU problem
but I do see the added route problem.  I do not know why a
TCP connection (but not an ICMP connection) creates a route
in the client routing table for the destination ip address
(x.x.x.x/32) and why that only happens if there is an ipsec
tunnel on the other side.  I'm just starting to trace now so
I'll keep you and the list apprised.  If anyone else wants
to jump in, please do as I can use all the help I can get ;)
- John

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-02/msg00092.html on line 236

Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-02/msg00092.html on line 236