In general, and in particular on a Solaris 10 machine ...
See, we are having an issue in our network. I handle some reverse proxy instances on a Solaris 10 server that is behind a load balancer, and some users access this via a NAT firewall and ... in any case, at some point 2 days ago, it all came crashing and does not work.
After hours of capturing packets and analyzing stuff what we see is that when one of the internal clients try to access a site, at some point (in particular, when we are sending the Server Hello SSL message, for example), the LB sends back a ICMP Fragmentation Needed message saying that the MTU is 508 bytes, and as the packets are set with the Dont Fragment bit as is the default in Solaris...
Ok, all fine. But then... all that happens is that, as no ACK has been received (cause the packets has never been received by the client), the Solaris machine sends the packets again... same size, same DF bit.
So of course this end up with no communication being possible.
Shouldnt the Solaris OS, upon receiving this ICPM message, either unset the DF bit for those packets, or adjust the connection MSS to be < the MTU that the message is telling us? Is this something that can be configured somewhere as enabled/disabled? Or is this what it is supposed to happen?
I'm not sure exactly how the Path MTU discovery goes in Solaris 10 but if it doesnt take this message in account then how it adjust the MSS?
Thanks in advance for any pointer, help or just idea about where to look :)