VPN Connection Problem

Actually I have a question again.

Why does CPF block fragmented IP datagrams 'though the firewall is disabled & shutdown?

I wouldn’t expect that it would, as there isn’t supposed to be anything running (under those conditions) that would be doing the checking. At least, that’s how I understand it.

Yeah, I thought so, too. But I just tried it again, checked the setting “block fragmented datagrams” and disabled the firewall and also shut down CPF, but CPF still blocks the datagrams. So CPF definately still blocks something when it’s disabled.

I’ll inquire of the other moderators. I have no idea on this.

It looks like you may have uncovered a bug in CFP. One of the other moderators suggested this as a possible workaround, to try changing the packet MTU size so that there aren’t fragmented packets. (Thanks go to gibran for that idea).

To find the largest MTU size that doesn’t fragment is a trial-and-error process. You need to try to ping an address thru your VPN to find the VPN limit on what fragments and what doesn’t. This web page http://help.expedient.net/broadband/mtu_ping_test.shtml describes the process, and this web page at ibm.com gives some additional detail.

I’ll suggest trying to find the MTU first. If that doesn’t give a workaround, then it looks like a bug report will be needed in the Bug Reports forum.

I changed the MTU size in the registry to my largest MTU size. It’s 1372 + 28 = 1400 (like described i the tutorial) for both, the ISP connection and the universities connection. I added the value like here mentioned and restarted, but it’s still doesn’t work when the “fragmented datagrams” setting is checked.

Here is a strange thing: when I check “block fragm. dat.” and connect to the uni’s VPN, the largest MTU size is only 1302. When I set it to a higher value I get a timeout and not a “fragmented packet” message.

I hope I made myself clear.

Is there a tool to read the current MTU size, so I can check if did everything right?


Okay, I changed the value now to 1330 (1302+28) and the uni VPN connection now works even with the setting checked.
Thast’s all really weird and quite complicated for me.
I think CPF is somehow influencing these MTU values.
Anyway, with the value 1330 it works now.

I remember CPF 2 logged fragmented IPs, isn’t that the case anymore?

If you need some more testing from me, don’t hesitate, I’ll do what I can.

Okay, I’ll take everythink back. When clicked “Post” to submit this, the request timed out. I tried to post over my uni’s vpn to test, now I send this with my ISP’s connection.


Edit: with the normal ISP connection posting this was successfull. With the uni’s vpn everything worked, except posting this. Hmm…maybe I’ve set the MTU still too high.
I stop now, it’s too late