pMTU discovery
Bernhard Schmidt
berni at birkenwald.de
Thu May 31 09:58:44 EDT 2012
Hi,
> What *exactly* are the "MTU problems on the link" that you have when you
> don't get this right? Are they on CSTP or DTLS packets, or both? In
> which direction? And what happens to the offending packets? Is the
> server sending DTLS packets with the DF bit set?
I saw this issue specifically with IPv6 transport, so we always have DF
bit set. I did not do much further debugging. Problem is that the tunnel
is configured with MTU 1406, but 1406 bytes don't really get across. At
least not from server to the client, the other direction seems to work
well. I guess the client stack is perfectly fine with pMTU discovery and
having to fragment it. I will debug this further.
> Or is your problem *internal*, and the problem is actually that the MTU
> of the VPN becomes smaller with openconnect. And you have *internal*
> firewalls that block ICMP and break your network?
No, pMTU discovery would work fine if the tunnel was capable of the
packetsize it is advertising.
Best Regards,
Bernhard
More information about the openconnect-devel
mailing list