MTU problem on UDP

Nikos Mavrogiannopoulos n.mavrogiannopoulos at gmail.com
Tue Mar 25 06:23:23 EDT 2014


On Mon, Mar 24, 2014 at 2:45 AM, Kevin <kevinchou.c at gmail.com> wrote:
> Hi List
>
> days ago I post "Can't reach some route in Anyconnect"
>  http://lists.infradead.org/pipermail/openconnect-devel/2014-March/001759.html
> and now I finally find out why.
> in my iptables I have a role to enable udp like this
> -A INPUT -p udp -m udp --dport 443 -j ACCEPT
> after I remove this role from the iptables, My problem solved.
> seems The TCP backup didn't have the MTU problem.
> but I already added
> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
> and even tried
> custom-header = "X-DTLS-MTU: 1200"
> custom-header = "X-CSTP-MTU: 1200"
> set mtu = 1200 in config file. nothing helped.
> So I guess this is a MTU bug on UDP?

There can be many reasons for an MTU issue in IPv4. Most issues are
caused by firewalls that do not forward icmp packets (e.g., the
fragmentation needed). The best if you want to figure out the issue in
your case is to find out with some tool like wireshark where the
packets disappear.

Some background:
ocserv by default sets the don't fragment bit on its udp packets, and
relies on the fragmentation needed icmp packet to modify (decrease)
its MTU value. The openconnect client uses the initially agreed MTU
and expects any routers in between to fragment the IP packet, and the
receiving host to reassemble it. Both approaches have advantages and
disadvantages. The first behaves very bad when firewalls filter the
icmp fragmentation needed packet, and the latter when an intermediate
router doesn't fragment ip packets.

regards,
Nikos



More information about the openconnect-devel mailing list