2.4.21 sending out "need to fragment" on wrong interface

2.4.21 sending out "need to fragment" on wrong interface

[Marc Haber]

Hi,

I am using a Linux machine with freeS/WAN for my connectivity. The
default route points to the IPSEC link. It has recently begun to send
out "need to fragment" packets on the wrong interface.

Traffic on internal interface (int0):
08:23:23.254711 192.168.130.117.3913 > 10.173.220.202.22: tcp 112 (DF)
08:23:23.295669 10.173.220.202.22 > 192.168.130.117.3913: tcp 0 (DF) [tos 0x10]
08:23:24.166039 10.173.220.202.22 > 192.168.130.117.3913: tcp 48 (DF) [tos 0x10] 
08:23:24.177886 10.173.220.202.22 > 192.168.130.117.3913: tcp 144 (DF) [tos 0x10] 
08:23:24.178021 192.168.130.117.3913 > 10.173.220.202.22: tcp 0 (DF)
08:23:24.181494 192.168.130.117.3913 > 10.173.220.202.22: tcp 48 (DF)
08:23:24.189591 10.173.220.202.22 > 192.168.130.117.3913: tcp 0 (DF) [tos 0x10]
08:23:24.193480 10.173.220.202.22 > 192.168.130.117.3913: tcp 144 (DF) [tos 0x10] 
08:23:24.320311 192.168.130.117.3913 > 10.173.220.202.22: tcp 0 (DF)
08:23:24.492389 192.168.130.117.3913 > 10.173.220.202.22: tcp 48 (DF)
08:23:24.502863 10.173.220.202.22 > 192.168.130.117.3913: tcp 112 (DF) [tos 0x10] 
08:23:24.507594 192.168.130.117.3913 > 10.173.220.202.22: tcp 1460 (DF)
08:23:24.507605 192.168.130.117.3913 > 10.173.220.202.22: tcp 44 (DF)
08:23:24.525303 10.173.220.202.22 > 192.168.130.117.3913: tcp 0 (DF) [tos 0x10]
08:23:24.721878 192.168.130.117.3913 > 10.173.220.202.22: tcp 1460 (DF)
08:23:25.323799 192.168.130.117.3913 > 10.173.220.202.22: tcp 1460 (DF)
08:23:26.527647 192.168.130.117.3913 > 10.173.220.202.22: tcp 1460 (DF)
08:23:28.935316 192.168.130.117.3913 > 10.173.220.202.22: tcp 1460 (DF)

Traffic on external interface (ipsec0):
08:23:23.254981 10.173.222.70.3913 > 10.173.220.202.22: tcp 112 (DF)
08:23:23.295116 10.173.220.202.22 > 10.173.222.70.3913: tcp 0 (DF) [tos 0x10] 
08:23:24.165446 10.173.220.202.22 > 10.173.222.70.3913: tcp 48 (DF) [tos 0x10] 
08:23:24.177235 10.173.220.202.22 > 10.173.222.70.3913: tcp 144 (DF) [tos 0x10] 
08:23:24.178225 10.173.222.70.3913 > 10.173.220.202.22: tcp 0 (DF)
08:23:24.181726 10.173.222.70.3913 > 10.173.220.202.22: tcp 48 (DF)
08:23:24.189057 10.173.220.202.22 > 10.173.222.70.3913: tcp 0 (DF) [tos 0x10] 
08:23:24.192856 10.173.220.202.22 > 10.173.222.70.3913: tcp 144 (DF) [tos 0x10] 
08:23:24.320551 10.173.222.70.3913 > 10.173.220.202.22: tcp 0 (DF)
08:23:24.492626 10.173.222.70.3913 > 10.173.220.202.22: tcp 48 (DF)
08:23:24.502248 10.173.220.202.22 > 10.173.222.70.3913: tcp 112 (DF) [tos 0x10] 
08:23:24.507881 10.173.222.70.3913 > 10.173.220.202.22: tcp 1460 (DF)
08:23:24.510045 10.173.222.70.3913 > 10.173.220.202.22: tcp 44 (DF)
08:23:24.524751 10.173.220.202.22 > 10.173.222.70.3913: tcp 0 (DF) [tos 0x10] 
08:23:24.722148 10.173.222.70.3913 > 10.173.220.202.22: tcp 1460 (DF)
08:23:25.324085 10.173.222.70.3913 > 10.173.220.202.22: tcp 1460 (DF)
08:23:26.527928 10.173.222.70.3913 > 10.173.220.202.22: tcp 1460 (DF)
08:23:28.935608 10.173.222.70.3913 > 10.173.220.202.22: tcp 1460 (DF)

Traffic on lo:
08:23:24.508192 10.173.222.70 > 192.168.130.117: icmp: 10.173.220.202 unreachable - need to frag (mtu 1443) [tos 0xc0] 
08:23:24.722400 10.173.222.70 > 192.168.130.117: icmp: 10.173.220.202 unreachable - need to frag (mtu 1443) [tos 0xc0] 
08:23:25.324338 10.173.222.70 > 192.168.130.117: icmp: 10.173.220.202 unreachable - need to frag (mtu 1443) [tos 0xc0] 
08:23:26.528190 10.173.222.70 > 192.168.130.117: icmp: 10.173.220.202 unreachable - need to frag (mtu 1443) [tos 0xc0] 
08:23:28.935862 10.173.222.70 > 192.168.130.117: icmp: 10.173.220.202 unreachable - need to frag (mtu 1443) [tos 0xc0] 
08:23:33.751079 10.173.222.70 > 192.168.130.117: icmp: 10.173.220.202 unreachable - need to frag (mtu 1443) [tos 0xc0] 

Routing table:
[6/506]mh@torres:~$ ip route
192.168.131.0/29 dev eth0  proto kernel  scope link  src 192.168.131.1 
10.173.222.64/29 dev eth0  proto kernel  scope link  src 10.173.222.70 
10.173.222.64/29 dev ipsec0  proto kernel  scope link  src 10.173.222.70 
10.173.222.72/29 dev eth1  proto kernel  scope link  src 10.173.222.73 
10.173.222.72/29 dev ipsec1  proto kernel  scope link  src 10.173.222.73 
192.168.130.0/24 dev int0  proto kernel  scope link  src 192.168.130.1 
0.0.0.0/1 via 10.173.222.65 dev ipsec0 
128.0.0.0/1 via 10.173.222.65 dev ipsec0 
default via 10.173.222.65 dev eth0 

[1/501]mh@torres:~$ ip route list match 192.168.130.117
192.168.130.0/24 dev int0  proto kernel  scope link  src 192.168.130.1 
128.0.0.0/1 via 212.126.222.65 dev ipsec0 
default via 212.126.222.65 dev eth0 
[2/502]mh@torres:~$ 

Can anybody tell me why my box is sending out the ICMP 10.173.220.202
unreachable packets on lo instead of int0 where the route points to?
Thank you very much.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Karlsruhe, Germany |  lose things."    Winona Ryder | Fon: *49 721 966 32 15
Nordisch by Nature |  How to make an American Quilt | Fax: *49 721 966 31 29

Re: 2.4.21 sending out "need to fragment" on wrong interface

[bert hubert]

On Mon, Nov 03, 2003 at 08:29:17AM +0100, Marc Haber wrote:
> Hi,
> 
> I am using a Linux machine with freeS/WAN for my connectivity. The
> default route points to the IPSEC link. It has recently begun to send
> out "need to fragment" packets on the wrong interface.

Linux-kernel is mostly about unpatched kernels, have you taken this up with
the freeswan people?



-- 
http://www.PowerDNS.com      Open source, database driven DNS Software 
http://lartc.org           Linux Advanced Routing & Traffic Control HOWTO