Can't get to 123.hp.com if client goes down a GRE tunnel
Guru Member
So posting this out of ideas about the issue here.
https://community.zyxel.com/en/discussion/10698/mtu-size-on-syn-packets#latest
So client set for MSS 1460 on USG60W gets a IP on LAN1 192.168.254.128/25 the LAN1 is MTU 1500 a routing rule from LAN1 next hop tunnel0 gateway 192.168.254.1 to Zywall 110 on OPT with tunnel0 for 192.168.254.128/25 gateway 192.168.254.2 back to USG60W the Zywall 110 routing rule from tunnel0 to OPT.
When the client sends a SYN with MSS 1460 it is not changed when it goes down the GRE tunnel so 123.hp.com sends MSS packets of 1460 which when Zywall 110 on OPT gets them send ICMP Destination unreachable (Fragmentation needed) but the server never gets it likely its blocking ICMP and so you can never get to the site.
Whats needed is when the client sends a SYN and this packet is going down a GRE tunnel that the MSS be changed to 1436 (if I got that right) this way the server sends smaller packets and fits down the tunnel to the client.
All Replies
-
You can test MTU size between the path from client to server. (https://www.iea-software.com/products/mtupath/)
Some of ISP backbone network with smaller MTU size, and also doesn't allow to fragments packet. Then will have problem to access to server.
The best solution is testing Path_MTU between client and server first, And configure best MTU size in your WAN interface.
https://www.cloudflare.com/zh-tw/learning/network-layer/what-is-mtu/0 -
Changing MTU on any interface does not fix the problem once TCP SYN sends MSS 1460 the problem happens.
From test I have done changing interface MTU only changes MSS of the SYN, ACK
0 -
To support change mss on all interfaces (include GRE interface) could be a solution.
Please Zyxel consider to support change mss on GRE interface.
0 -
Hi @PeterUK & @Ian31
Thanks for your suggestion. To support customize MSS setting in interfaces can prevent TCP packets are fragmented by routers in the path. This will move to idea section.0 -
Just to bring this forward 123.hp.com fix the MSS problem by allowing ICMP Destination unreachable (Fragmentation needed) to send smaller packets but this is still a problem and needs looking as Im sure many sites out there may block ICMP like:
finance.yahoo.com
will not load with if client goes down a GRE tunnel the SYN the client sends needs to be changed to 1436 (if I got that right) if USG sends it down the GRE tunnel.0 -
So some good news and bad...
The good is that this should happen for ATP/FLEX/VPN but the bad is not for USG 40/60 or zywall 110
0
Master Member
Zyxel Employee
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 149 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 263 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight
