The problem is very selective (it affects ONLY Outlook to Exchange) and
in a production environment, so I am a little hesitant to try a version
that hasn't gone through a lot of testing. There is also not an easy
way for me to lab this, since the problem is intermittent - some systems
seem to exhibit it, while others are OK - and I have to get on a plane
to get at this particular network physically.
I ran ping tests from the client system to the Exchange system (ping
the.server.com -f -l 1472) the result of these was no fragmentation up
to 1472. I also ran Network Monitor on the Exchange Server, which was
inconclusive, but admitting my ignorance: is there a way to detect
fragmented packets using Network Monitor? There was nothing obvious in
the traces that I ran.
My best guess at this point is some sort of latency issue, where the
encryption/decryption of the packets is somehow taking long enough to
cause timeouts on the server or client for this Outlook -> Exchange
operation - poorly handled fragmented packets would make sense in terms
of causing this, but wouldn't the ping detect this? The network itself
is a 1.5 mb T1 to another 1.5 mb T1.
Also, each of the m0n0wall's in question is running a Duron 1.8 GhZ
processor - I have never seen the load on these go above 2%, so the
hardware should be able to handle the compression and decompression
without lagging, I assume. The speed improvement using AH instead of
ESP is noticeable across remote desktop. What is the point of AH across
IPSEC if it provides little or no security? Is it just an issue of the
key exchange, or is it the whole data packet that Phase 2 deals with?
Kristian Shaw wrote:
> Hello Jeff, Philippe,
> I have created a version of m0n0wall that just corrects the fragmented
> packet issue and you can download it from the link below. I've also
> done an image for the net48xx but I have no way of testing it.
> Please don't make this link public - it's not hosted on a very fast
> ----- Original Message ----- From: "Philippe Lang"
> <philippe dot lang at attiksystem dot ch>
> To: "Jeff Buehler" <jeff at buehlertech dot com>; <m0n0wall at lists dot m0n0 dot ch>
> Sent: Thursday, February 09, 2006 9:44 AM
> Subject: RE: [m0n0wall] outlook -> exchange problem
> Have you tried using a sniffer on the network? There are issues with
> fragmented packets and monowall inside VPNs, which can create problems
> example accessing Active Directory from a remote location. I wouldn't be
> surprised if you had this kind of problem too.
> Kris Shaw has just release a monowall image that corrects that: have a
> at his message of yersterday "Version of m0n0wall that filters VPN
> traffic/Allows fragments".
> Also, look at my two messages from 06.02.06 "Fragmented packets, VPN &
> Windows 2000 domain problem".
> Hope this helps. Feedback is welcome...