2.4.21 sending out "need to fragment" on wrong interface

From: Marc Haber
Date: Mon Nov 03 2003 - 02:32:45 EST


Hi,

I am using a Linux machine with freeS/WAN for my connectivity. The
default route points to the IPSEC link. It has recently begun to send
out "need to fragment" packets on the wrong interface.

Traffic on internal interface (int0):
08:23:23.254711 192.168.130.117.3913 > 10.173.220.202.22: tcp 112 (DF)
08:23:23.295669 10.173.220.202.22 > 192.168.130.117.3913: tcp 0 (DF) [tos 0x10]
08:23:24.166039 10.173.220.202.22 > 192.168.130.117.3913: tcp 48 (DF) [tos 0x10]
08:23:24.177886 10.173.220.202.22 > 192.168.130.117.3913: tcp 144 (DF) [tos 0x10]
08:23:24.178021 192.168.130.117.3913 > 10.173.220.202.22: tcp 0 (DF)
08:23:24.181494 192.168.130.117.3913 > 10.173.220.202.22: tcp 48 (DF)
08:23:24.189591 10.173.220.202.22 > 192.168.130.117.3913: tcp 0 (DF) [tos 0x10]
08:23:24.193480 10.173.220.202.22 > 192.168.130.117.3913: tcp 144 (DF) [tos 0x10]
08:23:24.320311 192.168.130.117.3913 > 10.173.220.202.22: tcp 0 (DF)
08:23:24.492389 192.168.130.117.3913 > 10.173.220.202.22: tcp 48 (DF)
08:23:24.502863 10.173.220.202.22 > 192.168.130.117.3913: tcp 112 (DF) [tos 0x10]
08:23:24.507594 192.168.130.117.3913 > 10.173.220.202.22: tcp 1460 (DF)
08:23:24.507605 192.168.130.117.3913 > 10.173.220.202.22: tcp 44 (DF)
08:23:24.525303 10.173.220.202.22 > 192.168.130.117.3913: tcp 0 (DF) [tos 0x10]
08:23:24.721878 192.168.130.117.3913 > 10.173.220.202.22: tcp 1460 (DF)
08:23:25.323799 192.168.130.117.3913 > 10.173.220.202.22: tcp 1460 (DF)
08:23:26.527647 192.168.130.117.3913 > 10.173.220.202.22: tcp 1460 (DF)
08:23:28.935316 192.168.130.117.3913 > 10.173.220.202.22: tcp 1460 (DF)

Traffic on external interface (ipsec0):
08:23:23.254981 10.173.222.70.3913 > 10.173.220.202.22: tcp 112 (DF)
08:23:23.295116 10.173.220.202.22 > 10.173.222.70.3913: tcp 0 (DF) [tos 0x10]
08:23:24.165446 10.173.220.202.22 > 10.173.222.70.3913: tcp 48 (DF) [tos 0x10]
08:23:24.177235 10.173.220.202.22 > 10.173.222.70.3913: tcp 144 (DF) [tos 0x10]
08:23:24.178225 10.173.222.70.3913 > 10.173.220.202.22: tcp 0 (DF)
08:23:24.181726 10.173.222.70.3913 > 10.173.220.202.22: tcp 48 (DF)
08:23:24.189057 10.173.220.202.22 > 10.173.222.70.3913: tcp 0 (DF) [tos 0x10]
08:23:24.192856 10.173.220.202.22 > 10.173.222.70.3913: tcp 144 (DF) [tos 0x10]
08:23:24.320551 10.173.222.70.3913 > 10.173.220.202.22: tcp 0 (DF)
08:23:24.492626 10.173.222.70.3913 > 10.173.220.202.22: tcp 48 (DF)
08:23:24.502248 10.173.220.202.22 > 10.173.222.70.3913: tcp 112 (DF) [tos 0x10]
08:23:24.507881 10.173.222.70.3913 > 10.173.220.202.22: tcp 1460 (DF)
08:23:24.510045 10.173.222.70.3913 > 10.173.220.202.22: tcp 44 (DF)
08:23:24.524751 10.173.220.202.22 > 10.173.222.70.3913: tcp 0 (DF) [tos 0x10]
08:23:24.722148 10.173.222.70.3913 > 10.173.220.202.22: tcp 1460 (DF)
08:23:25.324085 10.173.222.70.3913 > 10.173.220.202.22: tcp 1460 (DF)
08:23:26.527928 10.173.222.70.3913 > 10.173.220.202.22: tcp 1460 (DF)
08:23:28.935608 10.173.222.70.3913 > 10.173.220.202.22: tcp 1460 (DF)

Traffic on lo:
08:23:24.508192 10.173.222.70 > 192.168.130.117: icmp: 10.173.220.202 unreachable - need to frag (mtu 1443) [tos 0xc0]
08:23:24.722400 10.173.222.70 > 192.168.130.117: icmp: 10.173.220.202 unreachable - need to frag (mtu 1443) [tos 0xc0]
08:23:25.324338 10.173.222.70 > 192.168.130.117: icmp: 10.173.220.202 unreachable - need to frag (mtu 1443) [tos 0xc0]
08:23:26.528190 10.173.222.70 > 192.168.130.117: icmp: 10.173.220.202 unreachable - need to frag (mtu 1443) [tos 0xc0]
08:23:28.935862 10.173.222.70 > 192.168.130.117: icmp: 10.173.220.202 unreachable - need to frag (mtu 1443) [tos 0xc0]
08:23:33.751079 10.173.222.70 > 192.168.130.117: icmp: 10.173.220.202 unreachable - need to frag (mtu 1443) [tos 0xc0]

Routing table:
[6/506]mh@torres:~$ ip route
192.168.131.0/29 dev eth0 proto kernel scope link src 192.168.131.1
10.173.222.64/29 dev eth0 proto kernel scope link src 10.173.222.70
10.173.222.64/29 dev ipsec0 proto kernel scope link src 10.173.222.70
10.173.222.72/29 dev eth1 proto kernel scope link src 10.173.222.73
10.173.222.72/29 dev ipsec1 proto kernel scope link src 10.173.222.73
192.168.130.0/24 dev int0 proto kernel scope link src 192.168.130.1
0.0.0.0/1 via 10.173.222.65 dev ipsec0
128.0.0.0/1 via 10.173.222.65 dev ipsec0
default via 10.173.222.65 dev eth0

[1/501]mh@torres:~$ ip route list match 192.168.130.117
192.168.130.0/24 dev int0 proto kernel scope link src 192.168.130.1
128.0.0.0/1 via 212.126.222.65 dev ipsec0
default via 212.126.222.65 dev eth0
[2/502]mh@torres:~$

Can anybody tell me why my box is sending out the ICMP 10.173.220.202
unreachable packets on lo instead of int0 where the route points to?
Thank you very much.

Greetings
Marc

--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Karlsruhe, Germany | lose things." Winona Ryder | Fon: *49 721 966 32 15
Nordisch by Nature | How to make an American Quilt | Fax: *49 721 966 31 29
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/