Fragmented reply ICMP packages not reassembled
-
I am trying to ping a machine over an ipsec tunnel:
ping -s 1371 10.255.3.1
If I reduce the size by 1 everything works fine, if not I get the following answers:
13:40:36.610128 (authentic,confidential): SPI 0x8b2f68b1: IP 172.22.1.12 > 10.255.3.1: ICMP echo request, id 15512, seq 11, length 1379 13:40:36.630910 (authentic,confidential): SPI 0xc96b97c6: IP 10.255.3.1 > 10.254.3.12: ICMP echo reply, id 15512, seq 11, length 1376 13:40:36.631000 (authentic,confidential): SPI 0xc96b97c6: IP 10.255.3.1 > 10.254.3.12: ip-proto-1
(The ip missmatch is caused by NAT from 172.22.1.0/24 to 10.254.3.0/24)
As you can see the reply is fragmented and the filter logs show:
Aug 31 13:41:19 gw01 filterlog: 9,16777216,,1000000103,enc0,match,block,in,4,0x0,,61,59083,0,+,1,icmp,1396,10.255.3.1,10.254.3.12,reply,15512,531376 Aug 31 13:41:19 gw01 filterlog: 9,16777216,,1000000103,enc0,match,block,in,4,0x0,,61,59083,1376,none,1,icmp,23,10.255.3.1,10.254.3.12,
Any ideas why pfsense would not reassemble the packets and if there is anything I can do to fix that? Version is 2.3.4-RELEASE-p1
Thanks,
Florian