BR200 and fragmentation

  • 1
  • Question
  • Updated 1 year ago
Hi all -

I am using HM to manage a few BR200WP routers and this works well except for one issue that I just cannot resolve.  My BRs establish layer-3 IPSEC tunnel back to my CVG VM, which operates out of my data center location.

    [BR]   <-IPSEC-> |    [CVG]         |                 |    [PBX]     |
192.168.3.0/26 | WAN 38.118.X.X | | 172.16.209.2 |
| LAN 172.16.22.100| | |
| | | |
| [FW] |-172.16.209.1-> | [FW] |
| (INTERNAL NETS) |<-172.16.209.254-| (VOICE) |

This arrangement seems to work pretty well, except when ICMP traffic originating from my PBX at 172.16.209.2 tries to hit a VoIP device behind the BR.  The VoIP phones do work, but inconsistently.  A packet capture in Wireshark and subsequent SIP analysis on that capture showed that fragmentation was causing some of my outbound calls to fail.

Running a tcpdump on the voice firewall in front of the PBX shows constant fragmentation messages.  For example:

IP 172.16.22.100 > 172.16.209.2: ICMP 192.168.2.231 unreachable - need to frag (mtu 1398), length 556
IP 172.16.22.100 > 172.16.209.2: ICMP 192.168.3.36 unreachable - need to frag (mtu 1414), length 556

As depicted, 172.16.22.100 is the LAN IP of the CVG (operating in 2-arm mode).  It routes to internal networks via 172.16.22.1, and traffic routes to/from the PBX via the .1 and .254 gateways created on the firewalls.  Firewall interfaces are configured with a 1500 MTU.

When I raised this issue with my PBX vendor, their only suggestion was to enable any "ignore DF" option available in my firewall, but this is already a default setting for my firewalls.

This seems to be a tandem issue of the PBX sending ICMP packets, with those packets traversing networks un-encapsulated, then hitting the CVG which encapsulates the packets and tunnel to the BR.

Just wondering what the experts here have to say about dealing with MTU issues as they relate to IPSEC tunneling and the BR.

Thanks for reading!
Dave
Photo of daveyfx

daveyfx

  • 1 Post
  • 0 Reply Likes

Posted 1 year ago

  • 1

There are no replies.