- Community Home
- >
- Servers and Operating Systems
- >
- HPE ProLiant
- >
- ProLiant Servers (ML,DL,SL)
- >
- Re: ilo2 (2.15) PMTU discovery broken
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-07-2013 12:13 PM
03-07-2013 12:13 PM
ilo2 (2.15) PMTU discovery broken
hi,
I was trying to connect to some ilo card via ipsec vpn. The connections are very slow, so I did an tcpdump on the gateway to the ilo card and it seems that the ilo2 ignores pmtu discovery:
20:27:49.899451 IP 192.168.101.112.443 > 192.168.56.93.50366: tcp 1460
20:27:49.899489 IP 192.168.101.65 > 192.168.101.112: ICMP 192.168.56.93 unreachable - need to frag (mtu 1430), length 556
20:27:49.922517 IP 192.168.101.112.443 > 192.168.56.93.50366: tcp 1460
20:27:49.922553 IP 192.168.101.65 > 192.168.101.112: ICMP 192.168.56.93 unreachable - need to frag (mtu 1430), length 556
20:27:49.927440 IP 192.168.56.93.50366 > 192.168.101.112.443: tcp 0
20:27:49.933959 IP 192.168.101.112.443 > 192.168.56.93.50366: tcp 1460
20:27:49.933990 IP 192.168.101.65 > 192.168.101.112: ICMP 192.168.56.93 unreachable - need to frag (mtu 1430), length 556
20:27:49.945002 IP 192.168.101.112.443 > 192.168.56.93.50366: tcp 1460
20:27:49.945032 IP 192.168.101.65 > 192.168.101.112: ICMP 192.168.56.93 unreachable - need to frag (mtu 1430), length 556
20:27:49.955965 IP 192.168.101.112.443 > 192.168.56.93.50366: tcp 1460
20:27:49.955998 IP 192.168.101.65 > 192.168.101.112: ICMP 192.168.56.93 unreachable - need to frag (mtu 1430), length 556
20:27:50.956805 IP 192.168.101.112.443 > 192.168.56.93.50366: tcp 1460
20:27:50.958898 IP 192.168.56.93.50366 > 192.168.101.112.443: tcp 0
20:27:50.959495 IP 192.168.101.112.443 > 192.168.56.93.50366: tcp 1460
20:27:50.961385 IP 192.168.56.93.50366 > 192.168.101.112.443: tcp 0
20:27:50.962036 IP 192.168.101.112.443 > 192.168.56.93.50366: tcp 1460
20:27:50.963814 IP 192.168.56.93.50366 > 192.168.101.112.443: tcp 0
20:27:50.964363 IP 192.168.101.112.443 > 192.168.56.93.50366: tcp 1460
20:27:50.966148 IP 192.168.56.93.50366 > 192.168.101.112.443: tcp 0
20:27:50.976079 IP 192.168.101.112.443 > 192.168.56.93.50366: tcp 1460
Can I manual lower the mtu on the ilo? Cause this behavior is complete broken and violates RFC 1191.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-08-2013 08:14 AM - edited 03-08-2013 08:14 AM
03-08-2013 08:14 AM - edited 03-08-2013 08:14 AM
Re: ilo2 (2.15) PMTU discovery broken
iLO2 TCP/IP stack is defined as a Host, not a Relay. The TCP/IP standard requires relaying to be Off as default.
__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-08-2013 08:22 AM
03-08-2013 08:22 AM
Re: ilo2 (2.15) PMTU discovery broken
This has nothing to to with Host, Router, Relay and so on. PMTU discovery should to be activ on all devices connected to the internet, or must be reachable via links with an smaller mtu than 1500. Please take a look to:
http://en.wikipedia.org/wiki/Path_MTU_Discovery
"For IPv4 packets, Path MTU Discovery works by setting the Don't Fragment (DF) option bit in the IP headers of outgoing packets. Then, any device along the path whose MTU is smaller than the packet will drop it, and send back an Internet Control Message Protocol (ICMP) Fragmentation Needed (Type 3, Code 4) message containing its MTU, allowing the source host to reduce its Path MTU appropriately. The process is repeated until the MTU is small enough to traverse the entire path without fragmentation."
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-09-2013 08:40 AM - edited 03-09-2013 08:41 AM
03-09-2013 08:40 AM - edited 03-09-2013 08:41 AM
Re: ilo2 (2.15) PMTU discovery broken
Sorry, I misread your post.
Does this issue happen with iLO2 v2.09?
I'm asking because in version 2.12 we added few countermeasures for ICMP blind reset attacks. In the ICMP unreachable message that we get back, we now check the Internet Header + the 64 bits of Data Datagram portion. If it doesn't match with the IP message that we send, we discard the ICMP.
__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-10-2013 01:50 AM
03-10-2013 01:50 AM
Re: ilo2 (2.15) PMTU discovery broken
With 2.09 it seems too run fine. I could do some more network dumps the next day.
If you send me your e-mail Address I can send you the pcap file with the problem in 2.15.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-10-2013 09:44 AM
03-10-2013 09:44 AM
Re: ilo2 (2.15) PMTU discovery broken
I sent you a PM
__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-19-2013 10:46 AM
03-19-2013 10:46 AM
Re: ilo2 (2.15) PMTU discovery broken
We found the bug that broke Path MTU discovery in 2.12 and later and we are fixing it in the next iLO2 v2.20 that will be available on the FTP on early May 2013.
__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-17-2013 08:53 AM
07-17-2013 08:53 AM
Re: ilo2 (2.15) PMTU discovery broken
Hello!
It seems that PMTU discovery problem exists in iLO4 firmware too.
We have a customer far from us with two brand new DL360p Gen8 servers we should set up remotely. The servers has iLO4 Advanced I can reach through an IPsec VPN tunnel. I can ping iLO and ssh to it but can't reach the web interface. Tcp connection to https service is established but freezes quickly. I take tcpdump and see that some "big" packets (~1400 bytes) from iLO do not reach browser. We still investigate the problem but it looks similar the discussed above
iLO4 firmware version is 2.13
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-18-2013 06:51 AM
07-18-2013 06:51 AM
Re: ilo2 (2.15) PMTU discovery broken
Please PM me a network trace if you can.
__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-24-2013 04:09 AM
07-24-2013 04:09 AM
Re: ilo2 (2.15) PMTU discovery broken
The problem also occurs in my setup, with ilo2 firmware 2.15.
I have captured a pcap packet trace (stored here: http://www.exp-math.uni-essen.de/~dreibh/temp/ilo.pcap) on a router connecting a local Ethernet (MTU: 1500) with a VPN tunnel (MTU: 1472). The iLO machine is 10.1.2.241, the web browser is 10.1.1.50. When the iLO machine sends a 1500-byte packet, with Don't Fragment flag set in the IP header, the router correctly responds with an ICMP Fragmentation Needed. However, the iLO machine just ignoes that and keeps sending 1500-byte-packets as retransmissions -- which are dropped. The HTTPS connection therefore hangs.
When will there be a fix for this problem? I think trying to use iLO over a VPN is not that uncommon.