How is it possible a router sends 1448 bytes of ftp data (frame size is 1514) but not sending 1394 bytes of ftp data (frame size is 1460) over an ipsec tunnel, the router sends ICMP destination unrechable message to the source, the ipsec tunnel mtu is 1476..
Any idea about allowing ICMP destination unrechable message on windows firewall..
The windows firewall does not allow incoming destination unreachable. You must wither disable the windows firewall - or set you MTU to a lower value, so when the tcp session is negotiated, a lower MSS is chosen; that fits into you tunnel MTU with all overheads.
As long as the DF = Do not Fragment bit is NOT set, then the router will fragment the packets.
A few applications will set the DF bit - as they require it, and the router will NOT fragment the packet, and drop it.
Can you confirm the following:-
1) Is the DF bit set in the TCP header
2) What the MTU on the NIC's are @ both ends
3) What the MSS is negotiated within the TCP session establishment is?
If that is indeed the case - then I am very surprised that it works at all.
If the DF bit is set, and the overall packet site is bigger than the MTU of the tunnel the router will drop it, and send an icmp packet "fragmentation required" message.
When you perform a packet capture on the end devices, do you see this?
d/l and install the below, this will tell you the nic mtu size and allow you to change it
look for the registry setting called MTU - if there is one, then it will be any number other than 1500.
if there is no registry setting called MTU under the nic card - then it's the default mtu of 1500.
so 1500 - with the DF bit, and a MSS of 1460, a device would drop the packet.
You need to do some packet captures to confirm that this is actually the case on the specific application.
Do you have any device in the path of the tcp session - that could perform a TCP MSS adjust?
i have location A and location B, the problem in location A
the destination for both the location is same
the last hop is same for both the locations (ipsec tunnel)
Location A : source ip 18.104.22.168 and destination is 22.214.171.124)...
Location B : source ip 126.96.36.199 and destination is 188.8.131.52)...
router ip with ipsec tunnel : 184.108.40.206
In both captures of location A - packet 9 in the campture is an icmp "fragementation needed"
In the capture of location B - packet 9 is the same.
All the FTP data is being sent with the DF bit set, the frame sizes are to big for the VPN.
Do the VPN's terminate on the ASA/PIX devices?
In location B the ftp data size is 1448 and the corresponding frame size is 1512 and this happily passes through the tunnel, at the same time in location A the ftp data size is 1394 and the corresponding frame size is 1460 and this does not passes through the tunnel.. this is strange..
the tunnel terminates on the router..
That is not how I read the packet captures, everything is not OK with the FTP data stream.
I suggest you either
1) Change the interface MTU
2) Depending on the routing platform use the tcp mss-adjust feature to a lower MSS in the TCP syn/syn ack.