Overview
This issue happens on some Exinda where the openVPN traffic is going through a GRE tunnel and there is fragmentation of the UDP packets before they get to the Exinda and do-not-fragment bit set to 1 and more fragments bit also set to 1.This typically affects large authentication packets such as UDP RADIUS authentication which are encapsulated in GRE tunnels.
Cause
When the Exinda receives UDP fragmented packets, it has to re-assemble them so that it can do the monitoring. On egress, the Exinda would attempt to resend the UDP packets without re-fragmenting them. These would be bigger than the MTU on the Exinda, as such would be dropped.These typical authentication packets that are affected are packets are encapsulated in a GRE tunnel that has a small MTU, eg, 1400. So the packets are fragmented so that they can be transmitted over the GRE tunnel.
The Exinda will re-assemble the fragments and this will result in an MTU bigger than the NIC interface, hence the packet is dropped because of the DF bit set to 1.
Priyanka Bhotika
Comments