> I am not sure if it is the case:
> 1. I can access the web site in question on the Linux router.
> 2. Here is the slip interface on the router:
> # ifconfig sl0
> sl0 Link encap:VJ Serial Line IP
> inet addr:209.249.10.145 P-t-P:209.249.10.10 Mask:255.255.255.255
> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:576 Metric:1
^^^^^^^
This explains it. Your other box is connected to an ethernet with MTU of
1500. Thus it sends a MSS option of 1500-X into the initial SYN of the
TCP connection. Now the other server correctly sets its MSS to 1500-X
and sends packets with that size with the Dont-Fragment bit set for PMTU
discovery. Once they reach the other end of your slip link they get dropped
and the router sends back a ICMP frag-needed to tell the other box to lower
its pmtu - but because of the ICMP blocking firewalls set up by people that
were so nicely described by Alan it never sees them. It does not happen
from your router box, because there the first interface has a 576 MTU which
means that TCP only puts a small MSS option in the first SYN, and all packets
that are exchanged are small and no pmtu discovery is needed.
One workaround: set the mtu on the gateway route you use on the other box
(route add default gw ROUTER mss 576), then the MSS will contain small values
from the beginning. It would be better to complain to the sites that don't
work, because it is clearly a misconfiguration on their part. Another workaround
is to increase the sl0 MTU to 1500bytes.
-Andi
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/