From nobody@FreeBSD.org  Wed May 16 20:35:02 2007
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 4B37816A401
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 16 May 2007 20:35:02 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [69.147.83.33])
	by mx1.freebsd.org (Postfix) with ESMTP id 37C9F13C4B8
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 16 May 2007 20:35:02 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id l4GKZ2rf044712
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 16 May 2007 20:35:02 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id l4GKU0UC044181;
	Wed, 16 May 2007 20:30:00 GMT
	(envelope-from nobody)
Message-Id: <200705162030.l4GKU0UC044181@www.freebsd.org>
Date: Wed, 16 May 2007 20:30:00 GMT
From: Kent Fox<kent.fox@intermountainmail.org>
To: freebsd-gnats-submit@FreeBSD.org
Subject: IP v4 udp fragmented packet reject 
X-Send-Pr-Version: www-3.0

>Number:         112722
>Category:       kern
>Synopsis:       [ipsec] [udp] IP v4 udp fragmented packet reject
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-net
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed May 16 20:40:03 GMT 2007
>Closed-Date:    
>Last-Modified:  Fri Feb 06 23:05:35 UTC 2009
>Originator:     Kent Fox
>Release:        FreeBSD 6.2-RELEASE
>Organization:
Intermountain Healthcare
>Environment:
6.2-RELEASE FreeBSD 6.2-RELEASE #0: Fri Jan 12 08:43:30 UTC 2007     root@portnoy.cse.buffalo.edu:/usr/obj/usr/src/sys/SMP  amd64
>Description:
When an UDP IP fragment is received on one interface and is exiting out
another interface (both interfaces have a mtu = 1500), a ICMP type 3 code
1 (destination unreachable) is sent to the sending host. All other UDP
packets that are not fragmented and all TCP packets are passed without issue.

bge0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
        inet x.x.44.10 netmask 0xffffff00 broadcast x.x.44.255
        ether 00:09:3d:11:99:a7
        media: Ethernet autoselect (1000baseTX <full-duplex>)
        status: active
bge1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
        inet x.x.244.1 netmask 0xffffff00 broadcast x.x.244.255
        ether 00:09:3d:11:99:a8
        media: Ethernet autoselect (1000baseTX <full-duplex>)
        status: active

>How-To-Repeat:
FreeBSD host with 2 interfaces used as a forwarding gateway. Create a
IPSec tunnel that passes thru routers that have to fragment the packets
then pass thru the FreeBSD gateway. Send a large amount of traffic (we
try rdp and/or sync M$exchange). Monitor the ingress interface.
>Fix:
Not known.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-amd64->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Wed May 16 22:12:30 UTC 2007 
Responsible-Changed-Why:  
This does not sound amd64-specific. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=112722 
State-Changed-From-To: open->feedback 
State-Changed-By: rwatson 
State-Changed-When: Mon Feb 2 11:31:13 UTC 2009 
State-Changed-Why:  
Dear Kent: 

I apologize for the delay in response to this problem report.  Could I ask 
you to: 

(1) Confirm the problem still exists, especially if you've moved forward 
to a more recent rev of FreeBSD. 

(2) Let me know a bit more about your firewall/ipsec/etc setup.  In 
particular, if you can easily identify a minimalist setup to reproduce 
this problem.  Do the packets you're describing enter via a tunnel, or 
do they arrive unencapsulated? 

(3) Send me tcpdump output that shows the packet ingress and resulting 
ICMP. 

Thanks, 

Robert 



http://www.freebsd.org/cgi/query-pr.cgi?pr=112722 

From: Kent Fox <Kent.Fox@imail.org>
To: "rwatson@FreeBSD.org" <rwatson@FreeBSD.org>, "freebsd-net@FreeBSD.org"
	<freebsd-net@FreeBSD.org>
Cc:  
Subject: RE: kern/112722: [udp] IP v4 udp fragmented packet reject
Date: Mon, 2 Feb 2009 08:21:56 -0700

 Thanks for the thought but we went back to OpenBSD and fixed our performanc=
 e issue with some kernel parameters. I'm sorry that I cannot help out and d=
 uplicate the problem as I no longer have that environment. The main issue w=
 as the forced reassembly of fragmented packets. When the ingress packet siz=
 e was maxed out, the egress with the tunnel encapsulation was too large and=
  the packet was discarded. We tried a smaller MTU on the ingress but we sti=
 ll could never make it work. Doing an IPsec tunnel with RDP was a sure way =
 of killing the connection. So what you have is C------>FW------->S. From C(=
 lient) the S(erver) there is an IPSec tunnel (all the way) and from C to FW=
 (firewall FreeBSD server) is another IPSec tunnel (tunnel on the intranet (=
 now GRE)).
 
 Hope that helps.
 
 Kent
 
 -----Original Message-----
 From: rwatson@FreeBSD.org [mailto:rwatson@FreeBSD.org]=20
 Sent: Monday, February 02, 2009 4:49 AM
 To: Kent Fox; rwatson@FreeBSD.org; freebsd-net@FreeBSD.org
 Subject: Re: kern/112722: [udp] IP v4 udp fragmented packet reject
 
 Synopsis: [udp] IP v4 udp fragmented packet reject
 
 State-Changed-From-To: open->feedback
 State-Changed-By: rwatson
 State-Changed-When: Mon Feb 2 11:31:13 UTC 2009
 State-Changed-Why:=20
 Dear Kent:
 
 I apologize for the delay in response to this problem report.  Could I ask
 you to:
 
 (1) Confirm the problem still exists, especially if you've moved forward
   to a more recent rev of FreeBSD.
 
 (2) Let me know a bit more about your firewall/ipsec/etc setup.  In
   particular, if you can easily identify a minimalist setup to reproduce
   this problem.  Do the packets you're describing enter via a tunnel, or
   do they arrive unencapsulated?
 
 (3) Send me tcpdump output that shows the packet ingress and resulting
   ICMP.
 
 Thanks,
 
 Robert
 
 
 
 http://www.freebsd.org/cgi/query-pr.cgi?pr=3D112722
 
State-Changed-From-To: feedback->open 
State-Changed-By: rwatson 
State-Changed-When: Fri Feb 6 22:51:58 UTC 2009 
State-Changed-Why:  
Transition to open: the original submitter is no longer using this 
configuration, so we'll need someone to attempt to reproduce it using 
a recent FreeBSD version and see where that leads. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=112722 

From: Kent Fox <Kent.Fox@imail.org>
To: "rwatson@FreeBSD.org" <rwatson@FreeBSD.org>, "freebsd-net@FreeBSD.org"
	<freebsd-net@FreeBSD.org>
Cc:  
Subject: RE: kern/112722: [udp] IP v4 udp fragmented packet reject
Date: Mon, 2 Feb 2009 08:21:56 -0700

 Thanks for the thought but we went back to OpenBSD and fixed our performanc=
 e issue with some kernel parameters. I'm sorry that I cannot help out and d=
 uplicate the problem as I no longer have that environment. The main issue w=
 as the forced reassembly of fragmented packets. When the ingress packet siz=
 e was maxed out, the egress with the tunnel encapsulation was too large and=
  the packet was discarded. We tried a smaller MTU on the ingress but we sti=
 ll could never make it work. Doing an IPsec tunnel with RDP was a sure way =
 of killing the connection. So what you have is C------>FW------->S. From C(=
 lient) the S(erver) there is an IPSec tunnel (all the way) and from C to FW=
 (firewall FreeBSD server) is another IPSec tunnel (tunnel on the intranet (=
 now GRE)).
 
 Hope that helps.
 
 Kent
 
 -----Original Message-----
 From: rwatson@FreeBSD.org [mailto:rwatson@FreeBSD.org]=20
 Sent: Monday, February 02, 2009 4:49 AM
 To: Kent Fox; rwatson@FreeBSD.org; freebsd-net@FreeBSD.org
 Subject: Re: kern/112722: [udp] IP v4 udp fragmented packet reject
 
 Synopsis: [udp] IP v4 udp fragmented packet reject
 
 State-Changed-From-To: open->feedback
 State-Changed-By: rwatson
 State-Changed-When: Mon Feb 2 11:31:13 UTC 2009
 State-Changed-Why:=20
 Dear Kent:
 
 I apologize for the delay in response to this problem report.  Could I ask
 you to:
 
 (1) Confirm the problem still exists, especially if you've moved forward
   to a more recent rev of FreeBSD.
 
 (2) Let me know a bit more about your firewall/ipsec/etc setup.  In
   particular, if you can easily identify a minimalist setup to reproduce
   this problem.  Do the packets you're describing enter via a tunnel, or
   do they arrive unencapsulated?
 
 (3) Send me tcpdump output that shows the packet ingress and resulting
   ICMP.
 
 Thanks,
 
 Robert
 
 
 
 http://www.freebsd.org/cgi/query-pr.cgi?pr=3D112722
 
>Unformatted:
