2 Replies Latest reply on Jul 3, 2012 8:34 AM by wcliffor

    TCP Fragments and SideWinder custom application proxy

    wcliffor

      Just ran into an issues with a proxy rule and larger IP packets that need to be framgented. Once I've switched over to a filter based rule for this traffic, the traffic passed without issue.

       

      Just curious if anyone has encountered this or not, and if so what was the resoultion?

       

      Thanks,

       

      Bill C

        • 1. Re: TCP Fragments and SideWinder custom application proxy

          Hello,

           

          Without getting any additional details, this could have something to do with PMTU discovery. When the proxy is in place, it will attempt to gather the upstream MTU information. When the firewall "rebuilds" the connection on the server side, it will limit it's MTU to the size that it learned through PMTU discovery.

           

          Path MTU discovery relies on the ICMP need to frag messages getting back to the firewall, if they do not then connections may fail as the firewall will continue to send large packets.

           

          Tcpdumps would be good in this case, I suggest opening a case with Support to troubleshoot further.

           

          -Matt

          • 2. Re: TCP Fragments and SideWinder custom application proxy
            wcliffor

            Matt,

             

            Ok I'll contact them this morning and open up a ticket. SIde note; looks like large ICMP packets are assembled just fine through a proxy rule, just not TCP based frags. I'll post my progress.

             

            Thanks for the help, much appreciated.

             

            Bill C