A10 AX fragmentation issue

George Bonser gbonser at seven.com
Sun May 29 08:35:48 CEST 2011 

In other words, the A10 is simply passing the packets to the server.
The A10 isn't doing anything with them other than translating the
destination address of the packet from the VIP to the real server
address.  It is the real server that is handling the packet (or not).
At least that has been my experience with the A10 devices to date.

 

So it (the A10) isn't so much treating the packet incorrectly as the
server is probably treating it incorrectly.  It could be that the A10
isn't passing the ICMP packet to the server at all.  Do you have tcpdump
of the traffic before and after the A10?

 

George

 

 

From: ipv6-ops-bounces+gbonser=seven.com at lists.cluenet.de
[mailto:ipv6-ops-bounces+gbonser=seven.com at lists.cluenet.de] On Behalf
Of George Bonser
Sent: Saturday, May 28, 2011 6:49 PM
To: Cameron Byrne; ipv6-ops at lists.cluenet.de
Subject: RE: A10 AX fragmentation issue

 

Ok, there is another thing to check.  If the ICMP packet is being
generated from behind a NAT it may not be effective.

 

Is this a v4 ICMP packet or a V6 ICMP packet?  If it is v4 and if it is
being generated from behind NAT,  it probably isn't going to work (ICMP
says packet to 10.1.2.3 is too big, balancer says "I don't have a
connection to 10.1.2.3, I have a connection to 123.45.67.89" )

 

But again, setting  that sysctl in the real servers if they are Linux
will eliminate the need for ICMP to do PMTUD.  ICMP PMTUD should never
be expected to work anyway which is why it is not the default mechanism
anymore with Windows or Solaris.   Too many people block ICMP in their
networks or the ICMP is being generated from behind a NAT and contains
nonsensical information.

 

 

 

 

From: ipv6-ops-bounces+gbonser=seven.com at lists.cluenet.de
[mailto:ipv6-ops-bounces+gbonser=seven.com at lists.cluenet.de] On Behalf
Of Cameron Byrne
Sent: Saturday, May 28, 2011 11:54 AM
To: ipv6-ops at lists.cluenet.de
Subject: Re: A10 AX fragmentation issue

 


On May 28, 2011 11:14 AM, "Daniel Roesen" <dr at cluenet.de> wrote:
>
> On Sat, May 28, 2011 at 10:07:02AM -0700, George Bonser wrote:
> > Is this an A10 issue or is this a problem with ICMP PMTU discovery
in
> > general?
>
> The former. The AX doesn't react to the ICMP packet too big and
> continues sending packets unfragmented.
>

Any chance you have a bug filed with them and can share the bug Id?

Cb
> Best regards,
> Daniel
>
> --
> CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20110528/90082995/attachment.html

More information about the ipv6-ops mailing list