[ previous ] [ next ] [ threads ]
 
 From:  "Philippe Lang" <philippe dot lang at attiksystem dot ch>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Fragmented packets, VPN & Windows 2000 domain problem
 Date:  Mon, 6 Feb 2006 11:54:41 +0100 
Hi,

I have just replaced a firewall with monowall 1.21. It has 4 VPNs for remote
locations.

It works fine, except for remote Windows 2000 users: they cannot connect to
the Windows 2000 server's domain anymore.

A closer look with a packet sniffer showed a problem with fragmented packets
sent from the domain server:

11:39:14.961864 172.19.10.251.1808 > 172.17.0.10.microsoft-ds: . ack 788 win
16734 (DF)
11:39:14.968225 172.19.10.251.1810 > 172.17.0.10.microsoft-ds: . ack 1 win
17520 (DF)
11:39:14.977713 172.19.10.251.1810 > 172.17.0.10.microsoft-ds: P 1:138(137)
ack 1 win 17520 (DF)
11:39:14.978583 172.19.10.251.1811 > 172.17.0.10.netbios-ssn: R
2266796820:2266796820(0) win 0
11:39:14.986532 172.17.0.10.microsoft-ds > 172.19.10.251.1810: P 1:183(182)
ack 138 win 17383 (DF)
11:39:15.035832 172.19.10.251.radius > 172.17.0.10.kerberos-sec:  v5
11:39:15.039335 172.17.0.10.kerberos-sec > 172.19.10.251.radius:  v5 (frag
11647:1480@0+) 
11:39:15.039360 172.17.0.10 > 172.19.10.251: udp (frag 11647:4@1480)
11:39:15.225298 172.19.10.251.1810 > 172.17.0.10.microsoft-ds: . ack 183 win
17338 (DF)
11:39:20.031144 172.19.10.251.radius > 172.17.0.10.kerberos-sec:  v5
11:39:20.034321 172.17.0.10.kerberos-sec > 172.19.10.251.radius:  v5 (frag
12149:1480@0+)
11:39:20.034325 172.17.0.10 > 172.19.10.251: udp (frag 12149:4@1480)


Kerberos fragmented packets are apprently not sent back to the remote
Windows 2000 machine.

Strange thing: this does not affect Windows XP remote machines. I guess it
has to do with the way AD is being accessed.

I did several things until now:

1) Check the MTU everywhere, which I have set to 1492. (ADSL)
2) Checked "Allow fragmented packets" in the "Default LAN -> any " rule, the
only one configured for now.


What else could I try to make it work? Any idea is welcome!

Thanks!


----------------------------------
Philippe Lang, Ing. Dipl. EPFL
Attik System
rte de la Fonderie 2
1700 Fribourg
Switzerland
http://www.attiksystem.ch

Tel:      +41 (26) 422 13 75 
Fax:      +41 (26) 422 13 76
Email:    philippe dot lang at attiksystem dot ch
smime.p7s (4.1 KB, application/x-pkcs7-signature)