From: Cameron Palmer (palmerc_at_gfo.seagate.com)
Date: Tue Dec 31 2002 - 02:10:03 CET
I'm not sure if this has already been mentioned but Windows 2000 ignores
Path MTU messages. ICMP Type 3 Code 4. This creates MAJOR havoc with IPsec
VPN clients. Solution is to apply Service Pack 3 as indicated in Microsoft
Knowledge Base Article 301337.
http://support.microsoft.com/default.aspx?scid=KB;en-us;q301337
Symptoms include all sorts of strange behavior. Including mail being
received but times out on send. Copying a file to your machine will work
but copying it to a server will fail.
As you probably already know, but I'm going to explain anyway, VPN clients
encounter this bug because IPsec tunnels set the DF (Don't Fragment) bit
on everything. So normally if a packet encounters a link that is smaller,
the router or whatever sends back a 'Need to Fragment but Don't Fragment
Bit Set' message. The sender then rachets its own MTU down. However in the
case of Windows 2k SP2 it never hears that message so connections time out. I
noticed a lot of people have lowered their MTU value to get around
Microsoft's error.
-- Cameron Palmer, Seagate Technology, palmerc_at_seagate.com Home page <A HREF=http://lowlyworm.com>http://lowlyworm.com> _______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Wed Jan 01 2003 - 05:21:05 CET