Fragmentation related problems
IP packet which exceed the maximum size accepted between two hops in a network have to be split into multiple smaller packets.
This is called fragmentation. Although this is neither unusual nor something bad, some routers in the Internet are configured
in a way which will break fragmented connections. Either fragmented packets are silently discarded or the ICMP notification
asking the sender to transmit smaller packets is dropped.
As VPN has to extend the original data packet, these routers will cause trouble. The encrypted packet is usually too large
to be transmitted without fragmentation. Problems may occur while negotiating the VPN connection or while using it.
- Problems during negotiation
- If the VPN log of DEFENDO contains messages like "retransmitting in response to duplicate packet; ...", it could be caused by fragmentation.
- The >oakley log of a windows peer might also provide information indicating a fragmentation problem. An example for a correct SA packet would
be:
Receive: (get) SA = 0x000ece32 from 192.168.255.1.4500
ISAKMP Header: (V1.0), len = 1684
If fragments have been dropped, you would see something like this instead: Receive: (get) SA = 0x00000000 from 192.168.255.1.4500
ISAKMP Header: (V1.0), len = 84 Note the value 0 for "SA" and the packet size (len = 84) which is too low. For this example one could assume that the MTU has to be reduced by 84 byte. - Problems while using a VPN
- If everything is working fine with small amounts of data (e.g. ping, polling small mails, ...) but large amounts of data cannot be transmitted, it also indicates a fragmentation problem.
- You can track it down with ping. You can instruct ping to use different packet sizes. Please refer to the documentation of
the operating system you use if you don't know how to do this. Common ways are:
in Unix: ping -s 1418 ADDRESS
in Windows: ping -l 1418 ADDRESS
If the fragmentation problem is caused by your own router, it should be easy to modify its configuration. Otherwise it can
help to reduce the MTU of DEFENDO's VPN interface. In current releases it can be configured in the GUI menu "Expert -> Interfaces" on tab "VPN Parameters". Try a lower predefined value first. If this has no effect you could try e.g. 1200.
If the packets sent by a windows client are affected a modification of the windows network properties could help. Try to reducing
the MTU or enable the "Black hole router" detection. Article >support.microsoft.com/kb/120642/ describes how to do this.