ASA packet ordering problems
David Woodhouse
dwmw2 at infradead.org
Fri Dec 19 08:00:02 PST 2014
Kevin, you have relatively easy access to ASAs for testing, don't you?
I'm chasing up a packet loss issue that I suspect might be related to
http://rt.openssl.org/Ticket/Display.html?id=1752&user=guest&pass=guest
which I fixed in OpenSSL a few years ago. It looks like when DTLS
packets are reordered in transit, the ASA is dropping the out-of-order
ones.
Since I have dual bonded ADSL lines, I see a lot more packet reordering
than normal people might. And if I send a packet which is just larger
than the VPN MTU, that gets split into two fragments each in their own
DTLS packet — and the shorter one, although sent last, is fairly much
guaranteed to overtake the longer one in transit over the Internet.
Causing the ASA to *drop* the longer one when it does arrive.
Are you able to test this?
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20141219/18b2bfb0/attachment.bin>
More information about the openconnect-devel
mailing list