Can't get to 123.hp.com if client goes down a GRE tunnel

PeterUK
PeterUK Posts: 2,655  Guru Member
First Anniversary 10 Comments Friend Collector First Answer
edited August 2021 in Security

So posting this out of ideas about the issue here.

https://community.zyxel.com/en/discussion/10698/mtu-size-on-syn-packets#latest

So client set for MSS 1460 on USG60W gets a IP on LAN1 192.168.254.128/25 the LAN1 is MTU 1500 a routing rule from LAN1 next hop tunnel0 gateway 192.168.254.1 to Zywall 110 on OPT with tunnel0 for 192.168.254.128/25 gateway 192.168.254.2 back to USG60W the Zywall 110 routing rule from tunnel0 to OPT.

When the client sends a SYN with MSS 1460 it is not changed when it goes down the GRE tunnel so 123.hp.com sends MSS packets of 1460 which when Zywall 110 on OPT gets them send ICMP Destination unreachable (Fragmentation needed) but the server never gets it likely its blocking ICMP and so you can never get to the site.

Whats needed is when the client sends a SYN and this packet is going down a GRE tunnel that the MSS be changed to 1436 (if I got that right) this way the server sends smaller packets and fits down the tunnel to the client.

All Replies

  • CHS
    CHS Posts: 177  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    You can test MTU size between the path from client to server. (https://www.iea-software.com/products/mtupath/)
    Some of ISP backbone network with smaller MTU size, and also doesn't allow to fragments packet. Then will have problem to access to server.

    The best solution is testing Path_MTU between client and server first, And configure best MTU size in your WAN interface.
    https://www.cloudflare.com/zh-tw/learning/network-layer/what-is-mtu/
  • PeterUK
    PeterUK Posts: 2,655  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    Changing MTU on any interface does not fix the problem once TCP SYN sends MSS 1460 the problem happens.

    From test I have done changing interface MTU only changes MSS of the SYN, ACK


  • Ian31
    Ian31 Posts: 165  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    To support change mss on all interfaces (include GRE interface) could be a solution.
    Please Zyxel consider to support change mss on GRE interface.

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @PeterUK & @Ian31
    Thanks for your suggestion. To support customize MSS setting in interfaces can prevent TCP packets are fragmented by routers in the path. This will move to idea section.
  • PeterUK
    PeterUK Posts: 2,655  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited December 2021
    Just to bring this forward 123.hp.com fix the MSS problem by allowing ICMP Destination unreachable (Fragmentation needed) to send smaller packets but this is still a problem and needs looking as Im sure many sites out there may block ICMP like:
    finance.yahoo.com
    will not load with if client goes down a GRE tunnel the SYN the client sends needs to be changed to 1436 (if I got that right) if USG sends it down the GRE tunnel.
  • PeterUK
    PeterUK Posts: 2,655  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    So some good news and bad...

    The good is that this should happen for ATP/FLEX/VPN but the bad is not for USG 40/60 or zywall 110 :( 

Security Highlight