The problem that I see with that solution is that most of the sites, which are many by this point, that I have had problems with aren't under my control. Including aol.com, I can just see me trying to convince AOL to reconfigure their servers to not set the DF :). Are there anyother work arounds that you can propose?
thnx, --scott
Chris Brenton wrote:
On Tue, 2004-01-13 at 03:02, Scott Hall wrote:
So the one question that this whole issue raises in my mind is, Isn't there anyway to handle the (DF) packets differently?
Absolutely. Config the stacks on both ends of the connection to _not_ set DF. This will cause the router at the MTU border to frag the packets and will not require an ICMP error packet.
I ask becuase we have two cisco routers and 6 Adtran routers that handle this same scenario quietly.
I'm guessing if you check the decodes from those packets you will see the public rather than the private IP embedded in the payload. I think this is what is killing you. This is an old Netfilter bug that I *thought* was fixed ages ago.
HTH, C
