On Tue, 2004-01-13 at 03:02, Scott Hall wrote: > So the one question that this whole issue raises in my mind is, Isn't > there anyway to handle the (DF) packets differently? Absolutely. Config the stacks on both ends of the connection to _not_ set DF. This will cause the router at the MTU border to frag the packets and will not require an ICMP error packet. > I ask > becuase we have two cisco routers and 6 Adtran routers that handle this > same scenario quietly. I'm guessing if you check the decodes from those packets you will see the public rather than the private IP embedded in the payload. I think this is what is killing you. This is an old Netfilter bug that I *thought* was fixed ages ago. HTH, C
