[Bug 801] New: Bridge dropping Ipsec fragmented packets

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Sun Sep 2 12:46:14 CEST 2012


http://bugzilla.netfilter.org/show_bug.cgi?id=801

           Summary: Bridge dropping Ipsec fragmented packets
           Product: netfilter/iptables
           Version: linux-2.6.x
          Platform: x86_64
        OS/Version: Ubuntu
            Status: NEW
          Severity: major
          Priority: P5
         Component: nf_conntrack
        AssignedTo: netfilter-buglog at lists.netfilter.org
        ReportedBy: saurabh.princesam at gmail.com
   Estimated Hours: 0.0


Hi Team,

Scenerio:
I am using a squid proxy in inception(ebtables/Iptables rules are used) mode
for my small network.

Problem:
Whenever some tries to connect to cisco VPN over bridge the authentication
process goes through smoothly, but after that the status bar reads "Negotiation
security polices......." and after like 30 sec. the VPN disconnects. 

When I bypass the bridging box the connection goes through smoothly without any
issues. I have checked that no IPTABLES OR EBTABLES rules are applied. 

I tried changing the MTUs but no go. I am not sure what is this issue
regarding.

further to MTU changes I took a TCPdump of both my bridge interface. I noticed
that the ipsec ip fragmented packets are coming on the WAN port are getting
dropped. Similar to this post
http://lkml.indiana.edu/hypermail/linux/kernel/0604.0/0229.html

I also checked that the patch which is given here is also applied in my current
kernel version(2.6.38.12). I also updated the IGB drivers.  

If any of you guys can suggest me something I would be highly obliged. I am up
for some coding changes that are required. 

If any of you guys need any kind of logs or something to debug further kindly
let me know.

Looking forward to your reply. 

Warm Regards
S

-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.



More information about the netfilter-buglog mailing list