A10 AX fragmentation issue

Daniel Roesen dr at cluenet.de
Sat May 28 11:36:45 CEST 2011

On Wed, May 25, 2011 at 10:30:50AM -0500, Jim Kirby wrote:
> A10 load balancers have supported IPv6 for some time.  Even better,
> they support IPv6 VIPs to IPv4 only servers keeping all ALG functions
> intact. That allowed me to deploy IPv6 to existing websites without
> touching the servers.

Given that I have now spoken to and went thru analysis with a couple of
sites unaware of the issue, I fear that a broadcast warning is warranted
to avoid surprises on World IPv6 Day:

Any A10 AX user using SLB-PT might want to double-check that their
site(s) are accessible by clients behind MTU <1500 links, NOT doing
overly aggressive[1] MSS clamping. You might find that the required
fragmentation of HTTP responses just doesn't happen and thus traffic
being blackholed.

The only currently known workaround is lowering the real server's MTU to
1260[2] so the load balancer won't have to fragment in the first place.

Best regards,

[1] easiest way to spot it is probably a tunnel with MTU=1280 like
    SixXS provides.

[2] 1260-sized IPv4 packet becomes 1280-sized when replacing the 20-octet
    IPv4 header with the 40-octet IPv6 header

CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0

More information about the ipv6-ops mailing list