2

In general, and in particular on a Solaris 10 machine ...

See, we are having an issue in our network. I handle some reverse proxy instances on a Solaris 10 server that is behind a load balancer, and some users access this via a NAT firewall and ... in any case, at some point 2 days ago, it all came crashing and does not work.

After hours of capturing packets and analyzing stuff what we see is that when one of the internal clients try to access a site, at some point (in particular, when we are sending the Server Hello SSL message, for example), the LB sends back a ICMP Fragmentation Needed message saying that the MTU is 508 bytes, and as the packets are set with the Dont Fragment bit as is the default in Solaris...

Ok, all fine. But then... all that happens is that, as no ACK has been received (cause the packets has never been received by the client), the Solaris machine sends the packets again... same size, same DF bit.

So of course this end up with no communication being possible.

Shouldnt the Solaris OS, upon receiving this ICPM message, either unset the DF bit for those packets, or adjust the connection MSS to be < the MTU that the message is telling us? Is this something that can be configured somewhere as enabled/disabled? Or is this what it is supposed to happen?

I'm not sure exactly how the Path MTU discovery goes in Solaris 10 but if it doesnt take this message in account then how it adjust the MSS?

Thanks in advance for any pointer, help or just idea about where to look :)

Jesús Couto Fandiño
  • 21
  • 3
  • 1
    What's up with the 508 MTU? See RFC 791: "All hosts must be prepared to accept datagrams of up to 576 octets". http://www.ietf.org/rfc/rfc791.txt – Greg Askew Jun 12 '15 at 16:44
  • What are the MTUs on the front- and backend sides of the loadbalancer? What is the MTU of your Solaris reverse proxy? How and where is that NAT firewall integrated and is it a DNAT towards the LB or a SNAT on that firewall? Also, setting the DF bit is sensible, because fragmentation leads to severe throughput degradation. I wouldn't look into how to disable the DF but check why the MTU is so... odd. Also, @GregAskew is right; a MTU of 508 octets sounds horribly wrong. – Alexander Janssen Jun 14 '15 at 07:17
  • I have no idea why this 508 MTU appears now after months of working fine. It is what we have to investigate now, but it will take a lot of time (firewall is out of my reach...) But the question is why the Solaris machine does nothing with the ICMP message. For example, the minimum MSS in Solaris is defined as 108 bytes, which sounds ridiculous, but I would think that reducing the MSS to this connection would be preferable to silently fail Although if by RFC it should be already at the lower limit I dont know then why the OS has a minimum of 108 bytes ... – Jesús Couto Fandiño Jun 15 '15 at 08:45
  • Update. There is this tuneable kernel parameter, ip_pmtu_min, that "Determines the minimum value upon which the Path MTU Discovery (PMTUD) protocol operates.", although it is in combo with the minimum MSS parameter - whatever of those 2 is higher is the limit at which, according to docs, Path MTU discovery is not going to work for lower MTUs. Default value is 576. I'm trying to test. Still, supports the idea that going lower than 576 is weird, but to @GregAskew, the RFC says "All hosts must be prepared to accept datagrams of up to 576 octets (whether they arrive whole or in fragments)" – Jesús Couto Fandiño Jun 16 '15 at 09:53

0 Answers0