4. Fragmented reply ICMP packages not reassembled

Fragmented reply ICMP packages not reassembled

  • A

    I am trying to ping a machine over an ipsec tunnel:

    ping -s 1371 10.255.3.1

    If I reduce the size by 1 everything works fine, if not I get the following answers:

    
13:40:36.610128 (authentic,confidential): SPI 0x8b2f68b1: IP 172.22.1.12 > 10.255.3.1: ICMP echo request, id 15512, seq 11, length 1379
13:40:36.630910 (authentic,confidential): SPI 0xc96b97c6: IP 10.255.3.1 > 10.254.3.12: ICMP echo reply, id 15512, seq 11, length 1376
13:40:36.631000 (authentic,confidential): SPI 0xc96b97c6: IP 10.255.3.1 > 10.254.3.12: ip-proto-1

    (The ip missmatch is caused by NAT from 172.22.1.0/24 to 10.254.3.0/24)

    As you can see the reply is fragmented and the filter logs show:

    
Aug 31 13:41:19 gw01 filterlog: 9,16777216,,1000000103,enc0,match,block,in,4,0x0,,61,59083,0,+,1,icmp,1396,10.255.3.1,10.254.3.12,reply,15512,531376
Aug 31 13:41:19 gw01 filterlog: 9,16777216,,1000000103,enc0,match,block,in,4,0x0,,61,59083,1376,none,1,icmp,23,10.255.3.1,10.254.3.12,

    Any ideas why pfsense would not reassemble the packets and if there is anything I can do to fix that? Version is 2.3.4-RELEASE-p1

    Thanks,
    Florian

    0
Log in to reply
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy