Problem s VPN tunely - zrejme fragmentace
Radek Krejca
radek at ceskedomeny.cz
Sat Nov 14 17:56:31 CET 2009
Ahoj,
DL> Jen na okraj - zrovna tenhle problem je celkem snadno
DL> diagnostikovatelny. To se pusti tcpdump, nejprve na vstupnim interface,
DL> pak n atunelovem interface a pak na vychozim interface a clovek hned vi
DL> kudy paket sel pripadne nesel.
To jsem zkoumal, nicmene je pravda, ze ne dostatecne. Takze jelikoz
prave nemam pristup k pc, kde mam nainstalovany inkriminovany vpn
tunel, tak zde simulace na pingu. Sit je nasledujici:
10.0.0.1 - muj router - muj pocitac
Vystupni (interface blize 10.0.0.1) interface na muj router pres
tcpdump pri pouziti prikazu ping -l 1500 10.0.0.1 na muj pocitace
(mam ted k dispozici pouze win).
17:39:50.649012 IP 192.168.2.104 > 10.0.0.1: ICMP echo request, id 768, seq 12800, length 1480
17:39:50.649014 IP 192.168.2.104 > 10.0.0.1: icmp
17:39:56.149009 IP 192.168.2.104 > 10.0.0.1: ICMP echo request, id 768, seq 13056, length 1480
17:39:56.149011 IP 192.168.2.104 > 10.0.0.1: icmp
Dale vstupni interface (blize memu pocitaci) s tim samym prikazem:
17:46:45.149502 IP 192.168.2.104 > 10.0.0.1: ICMP echo request, id 768, seq 17408, length 1480
17:46:45.149516 IP 192.168.2.104 > 10.0.0.1: icmp
Bez pouziti velikosti funguje vse, jak ma. Nejvyssi velikost, ktera
mi projde je 1472 byte.
Pokud z muj router pingam na obe strany tak bez problemu (tam mam
fbsd):
ping -s 15000 10.0.0.1
PING 10.0.0.1 (10.0.0.1): 15000 data bytes
15008 bytes from 10.0.0.1: icmp_seq=0 ttl=63 time=0.635 ms
DL> Informate pro overeni/doplneni by mel pak dodat
DL> netstat -s -p ip
ip:
2480402489 total packets received
672013 bad header checksums
0 with size smaller than minimum
300 with data size < data length
0 with ip length > max ip packet size
0 with header length < data size
0 with data length < header length
0 with bad options
770 with incorrect version number
0 fragments received
0 fragments dropped (dup or out of space)
0 fragments dropped after timeout
0 packets reassembled ok
708671754 packets for this host
583855 packets for unknown/unsupported protocol
1382107247 packets forwarded (77462627 packets fast forwarded)
1111048 packets not forwardable
15600976 packets received for unknown multicast group
0 redirects sent
599720045 packets sent from this host
23 packets sent with fabricated ip header
1575 output packets dropped due to no bufs, etc.
12 output packets discarded due to no route
10380325 output datagrams fragmented
39989831 fragments created
20 datagrams that can't be fragmented
0 tunneling packets that can't find gif
125 datagrams with bad address in header
--
S pozdravem,
Radek Krejca
STARNET, s. r. o.
radek at ceskedomeny.cz
More information about the Users-l
mailing list