Problem s VPN tunely - zrejme fragmentace

Zbyněk Burget zburget at burgnet.cz
Mon Nov 16 14:38:25 CET 2009


Dan Lukes napsal(a):
> Zbyněk Burget wrote:
>> Mohl bych se zeptat, kde je hranice, kde je jeste mnozstvi fragmentace 
>> v poradku a kde uz je to moc?
> 
> vetsina TCP komunikace nastaveny "Don't fragment" flag. Na UDP zalezi na 
> typu provozu. Beznych 512B DNS paketu by se fragmentovat nemelo, ale 
> vetsi pakety se fragmentovat mohou.

Hmmm - takze kdyz mam sit s nekolika sty prevazne domacimi uzivateli, 
kde se "telefonuje" Skypem a ICQ, telefonuje pomoci VoIP, pouzivaji 
ruzne torrentove stahovace, tak tam ten UDP provoz je celkem cily... To 
se pak asi opravdu bude spatne odhadovat, jestli je neco moc nebo malo.

> 
> Neexistuje presna hranice. Muzu ti ale poslouzit cisly z nekterych svych 
> siti (site s pomerne velkymi toky takze "total" citac se protaci a nelze 
> ho brat vazne, uptime je pres 82 dnu):
> 
> ip:
>         602409910 total packets received
>         29 fragments received
>         17 fragments dropped (dup or out of space)
>         6 fragments dropped after timeout
>         2 packets reassembled ok
>         2 output datagrams fragmented
>         6 fragments created
> 

no, u mne to vypada takhle po 14 dennim uptime (jestli ej total 
pretoceny nebo ne, netusim) - IPFW, pokud jsem nekde neco neprehledl, by 
mi ICMP nikde filtrovat nemelo.

ip:
         2667487672 total packets received
         12252769 fragments received
         5269 fragments dropped (dup or out of space)
         481492 fragments dropped after timeout
         2196194 packets reassembled ok
         1735063 output datagrams fragmented
         10096589 fragments created

...a pri prohlizeni dalsich parametru se mi jeste nelibi tyhlety - nebo 
je to v poradku?

         5685 bad header checksums
         2 with size smaller than minimum
         149501 with data size < data length
         76547 packets for unknown/unsupported protocol
         21487 packets received for unknown multicast group
         8813 output packets dropped due to no bufs, etc.
         10 datagrams with bad address in header

Mohlo by neco z tohohle znamenat nejaky problem? Mam po necem zacit 
patrat, co by bylo dobre najit a vychytat?

Zbynek



More information about the Users-l mailing list