On Mon, Mar 24, 2014 at 2:45 AM, Kevin <kevinchou.c at gmail.com> wrote: > Hi List > > days ago I post "Can't reach some route in Anyconnect" > http://lists.infradead.org/pipermail/openconnect-devel/2014-March/001759.html > and now I finally find out why. > in my iptables I have a role to enable udp like this > -A INPUT -p udp -m udp --dport 443 -j ACCEPT > after I remove this role from the iptables, My problem solved. > seems The TCP backup didn't have the MTU problem. > but I already added > iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu > and even tried > custom-header = "X-DTLS-MTU: 1200" > custom-header = "X-CSTP-MTU: 1200" > set mtu = 1200 in config file. nothing helped. > So I guess this is a MTU bug on UDP? There can be many reasons for an MTU issue in IPv4. Most issues are caused by firewalls that do not forward icmp packets (e.g., the fragmentation needed). The best if you want to figure out the issue in your case is to find out with some tool like wireshark where the packets disappear. Some background: ocserv by default sets the don't fragment bit on its udp packets, and relies on the fragmentation needed icmp packet to modify (decrease) its MTU value. The openconnect client uses the initially agreed MTU and expects any routers in between to fragment the IP packet, and the receiving host to reassemble it. Both approaches have advantages and disadvantages. The first behaves very bad when firewalls filter the icmp fragmentation needed packet, and the latter when an intermediate router doesn't fragment ip packets. regards, Nikos
