Fragmented UDP packets blocked

[FuzzyDice]

Hello everyone.

I am seeing fragmented UDP packets being blocked at my WS-10-250-AC, firmware 1.4.5. Here is a permalink to one of the tests I did using the ICSI Netalyzr tool:

http://n2.netalyzr.icsi.berkeley.edu/re ... ca-af7a/rd

When I bypass the Netonix switch the tool reports no blockage of UDP fragments.

I can go into more detail about my network setup and configuration if needed, but before doing that I wanted to see if there was a setting or something in the switch that affects this? I poked around and couldn't find anything that seemed related to this issue, but my wife will tell you I couldn't find the water from a boat.

Thanks!

[Eric Stern]

You can try increasing the MTU on the Ports tab.

[FuzzyDice]

Currently set to 1528, with the rest of the network set to 1500. The WAN link is 1500, so that's going to be the maximum path MTU regardless.

The problem isn't that the packets are being fragmented - that's going to happen regardless since the path MTU will always be max 1500. The problem is that fragmented UDP packets aren't making it past the Netonix for some reason. If I run this test with the Netonix bypassed the fragmented UDP packets are passed across the entire path, including the WAN link.

I have customers using a variety of VOIP, VPN, and IPSec connections which all pass the occasional jumbo UDP frame and it's causing disruption to their services when the fragments are being blocked. With the popularity of Netonix among WISPs I would have expected this issue to have surfaced, so I'm not sure if this is expected behavior from the Netonix or if I have a special problem.

[Eric Stern]

I tested this with the switches in my lab and it passes every time. I tried a number of configuration changes to try and cause it to happen.

If you'd like to send me backup of the configuration of your switch I can look at it. You can email it to eric@netonix.com.

But I can't think of any configuration issue that could be causing this, as the switch operates at layer 2 and thus it doesn't know or care what is going on at layer 4 (UDP).

[Eric Stern]

I was able to duplicate this problem using your configuration.

On the Ports tab disable DHCP Snooping (DS) on all your ports.

[FuzzyDice]

That was it - thank you!

[michwave]

Is this going to get resolved? Will we be able to use DHCP snooping again?

[Eric Stern]

I'll look into it.

[michwave]

I'm surprised many others haven't run into this with VPNs being blocked. Any update on this?

Thanks
Jon