From: "Bartschies, Thomas" <Thomas.Bartschies@cvk.de>
To: "'netdev@vger.kernel.org'" <netdev@vger.kernel.org>
Subject: big ICMP requests get disrupted on IPSec tunnel activation
Date: Fri, 13 Sep 2019 08:59:00 +0000 [thread overview]
Message-ID: <EB8510AA7A943D43916A72C9B8F4181F629D9741@cvk038.intra.cvk.de> (raw)
Hello together,
since kenel 4.20 we're observing a strange behaviour when sending big ICMP packets. An example is a packet size of 3000 bytes.
The packets should be forwarded by a linux gateway (firewall) having multiple interfaces also acting as a vpn gateway.
Test steps:
1. Disabled all iptables rules
2. Enabled the VPN IPSec Policies.
3. Start a ping with packet size (e.g. 3000 bytes) from a client in the DMZ passing the machine targeting another LAN machine
4. Ping works
5. Enable a VPN policy by sending pings from the gateway to a tunnel target. System tries to create the tunnel
6. Ping from 3. immediately stalls. No error messages. Just stops.
7. Stop Ping from 3. Start another without packet size parameter. Stalls also.
Result:
Connections from the client to other services on the LAN machine still work. Tracepath works. Only ICMP requests do not pass
the gateway anymore. tcpdump sees them on incoming interface, but not on the outgoing LAN interface. IMCP requests to any
other target IP address in LAN still work. Until one uses a bigger packet size. Then these alternative connections stall also.
Flushing the policy table has no effect. Flushing the conntrack table has no effect. Setting rp_filter to loose (2) has no effect.
Flush the route cache has no effect.
Only a reboot of the gateway restores normal behavior.
What can be the cause? Is this a networking bug?
Best regards,
--
i. A. Thomas Bartschies
IT Systeme
Cornelsen Verlagskontor GmbH
Kammerratsheide 66
33609 Bielefeld
Telefon: +49 (0)521 9719-310
Telefax: +49 (0)521 9719-93310
thomas.bartschies@cvk.de
http://www.cvk.de
AG Bielefeld HRB 39324
Geschäftsführer: Thomas Fuchs, Patrick Neiss
next reply other threads:[~2019-09-13 9:08 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-13 8:59 Bartschies, Thomas [this message]
2019-09-13 17:13 ` big ICMP requests get disrupted on IPSec tunnel activation David Ahern
2019-09-17 7:28 ` AW: " Bartschies, Thomas
2019-10-14 14:02 ` Bartschies, Thomas
2019-10-14 15:31 ` Eric Dumazet
2019-10-15 10:11 ` AW: " Bartschies, Thomas
2019-10-16 12:57 Bartschies, Thomas
2019-10-16 15:31 ` Eric Dumazet
2019-10-16 15:40 ` Eric Dumazet
2019-10-17 4:44 Bartschies, Thomas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=EB8510AA7A943D43916A72C9B8F4181F629D9741@cvk038.intra.cvk.de \
--to=thomas.bartschies@cvk.de \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).