Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Fragmented reply ICMP packages not reassembled

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 357 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      apollo13
      last edited by

      I am trying to ping a machine over an ipsec tunnel:

      ping -s 1371 10.255.3.1

      If I reduce the size by 1 everything works fine, if not I get the following answers:

      
13:40:36.610128 (authentic,confidential): SPI 0x8b2f68b1: IP 172.22.1.12 > 10.255.3.1: ICMP echo request, id 15512, seq 11, length 1379
13:40:36.630910 (authentic,confidential): SPI 0xc96b97c6: IP 10.255.3.1 > 10.254.3.12: ICMP echo reply, id 15512, seq 11, length 1376
13:40:36.631000 (authentic,confidential): SPI 0xc96b97c6: IP 10.255.3.1 > 10.254.3.12: ip-proto-1

      (The ip missmatch is caused by NAT from 172.22.1.0/24 to 10.254.3.0/24)

      As you can see the reply is fragmented and the filter logs show:

      
Aug 31 13:41:19 gw01 filterlog: 9,16777216,,1000000103,enc0,match,block,in,4,0x0,,61,59083,0,+,1,icmp,1396,10.255.3.1,10.254.3.12,reply,15512,531376
Aug 31 13:41:19 gw01 filterlog: 9,16777216,,1000000103,enc0,match,block,in,4,0x0,,61,59083,1376,none,1,icmp,23,10.255.3.1,10.254.3.12,

      Any ideas why pfsense would not reassemble the packets and if there is anything I can do to fix that? Version is 2.3.4-RELEASE-p1

      Thanks,
      Florian

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.