HPE Community
ProLiant Servers (ML,DL,SL)
1753974 Members
7391 Online
108811 Solutions
New Discussion

Re: ilo2 (2.15) PMTU discovery broken

 
Ruben_Herold
Frequent Advisor

‎03-07-2013 12:13 PM

‎03-07-2013 12:13 PM

ilo2 (2.15) PMTU discovery broken

hi,

 

I was trying to connect to some ilo card via ipsec vpn. The connections are very slow, so I did an tcpdump on the gateway to the ilo card and it seems that the ilo2 ignores pmtu discovery:

 

20:27:49.899451 IP 192.168.101.112.443 > 192.168.56.93.50366: tcp 1460
20:27:49.899489 IP 192.168.101.65 > 192.168.101.112: ICMP 192.168.56.93 unreachable - need to frag (mtu 1430), length 556
20:27:49.922517 IP 192.168.101.112.443 > 192.168.56.93.50366: tcp 1460
20:27:49.922553 IP 192.168.101.65 > 192.168.101.112: ICMP 192.168.56.93 unreachable - need to frag (mtu 1430), length 556
20:27:49.927440 IP 192.168.56.93.50366 > 192.168.101.112.443: tcp 0
20:27:49.933959 IP 192.168.101.112.443 > 192.168.56.93.50366: tcp 1460
20:27:49.933990 IP 192.168.101.65 > 192.168.101.112: ICMP 192.168.56.93 unreachable - need to frag (mtu 1430), length 556
20:27:49.945002 IP 192.168.101.112.443 > 192.168.56.93.50366: tcp 1460
20:27:49.945032 IP 192.168.101.65 > 192.168.101.112: ICMP 192.168.56.93 unreachable - need to frag (mtu 1430), length 556
20:27:49.955965 IP 192.168.101.112.443 > 192.168.56.93.50366: tcp 1460
20:27:49.955998 IP 192.168.101.65 > 192.168.101.112: ICMP 192.168.56.93 unreachable - need to frag (mtu 1430), length 556
20:27:50.956805 IP 192.168.101.112.443 > 192.168.56.93.50366: tcp 1460
20:27:50.958898 IP 192.168.56.93.50366 > 192.168.101.112.443: tcp 0
20:27:50.959495 IP 192.168.101.112.443 > 192.168.56.93.50366: tcp 1460
20:27:50.961385 IP 192.168.56.93.50366 > 192.168.101.112.443: tcp 0
20:27:50.962036 IP 192.168.101.112.443 > 192.168.56.93.50366: tcp 1460
20:27:50.963814 IP 192.168.56.93.50366 > 192.168.101.112.443: tcp 0
20:27:50.964363 IP 192.168.101.112.443 > 192.168.56.93.50366: tcp 1460
20:27:50.966148 IP 192.168.56.93.50366 > 192.168.101.112.443: tcp 0
20:27:50.976079 IP 192.168.101.112.443 > 192.168.56.93.50366: tcp 1460

 

Can I manual lower the mtu on the ilo? Cause this behavior is complete broken and violates RFC 1191.

 

 

 

 

0 Kudos
Reply
11 REPLIES 11
Oscar A. Perez
Honored Contributor

‎03-08-2013 08:14 AM - edited ‎03-08-2013 08:14 AM

‎03-08-2013 08:14 AM - edited ‎03-08-2013 08:14 AM

Re: ilo2 (2.15) PMTU discovery broken

iLO2 TCP/IP stack is defined as a Host, not a Relay. The TCP/IP standard requires relaying to be Off as default.




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
0 Kudos
Reply
Ruben_Herold
Frequent Advisor

‎03-08-2013 08:22 AM

‎03-08-2013 08:22 AM

Re: ilo2 (2.15) PMTU discovery broken

 

This has nothing to to with Host, Router, Relay and so on. PMTU discovery should to be activ on all devices connected to the internet, or must be reachable via links with an smaller mtu than 1500. Please take a look to:

 

http://en.wikipedia.org/wiki/Path_MTU_Discovery

 

"For IPv4 packets, Path MTU Discovery works by setting the Don't Fragment (DF) option bit in the IP headers of outgoing packets. Then, any device along the path whose MTU is smaller than the packet will drop it, and send back an Internet Control Message Protocol (ICMP) Fragmentation Needed (Type 3, Code 4) message containing its MTU, allowing the source host to reduce its Path MTU appropriately. The process is repeated until the MTU is small enough to traverse the entire path without fragmentation."

 

 

0 Kudos
Reply
Oscar A. Perez
Honored Contributor

‎03-09-2013 08:40 AM - edited ‎03-09-2013 08:41 AM

‎03-09-2013 08:40 AM - edited ‎03-09-2013 08:41 AM

Re: ilo2 (2.15) PMTU discovery broken

Sorry, I misread your post.

 

Does this issue happen with iLO2 v2.09?  

 

I'm asking because in version 2.12 we added few countermeasures for ICMP blind reset attacks. In the ICMP unreachable message that we get back, we now check the Internet Header + the 64 bits of Data Datagram portion. If it doesn't match with the IP message that we send, we discard the ICMP.

 




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
0 Kudos
Reply
Ruben_Herold
Frequent Advisor

‎03-10-2013 01:50 AM

‎03-10-2013 01:50 AM

Re: ilo2 (2.15) PMTU discovery broken

With 2.09 it seems too run fine. I  could do some more network dumps the next day.

If you send me your e-mail Address  I can send you the pcap file with the problem in 2.15.

 

0 Kudos
Reply
Oscar A. Perez
Honored Contributor

‎03-10-2013 09:44 AM

‎03-10-2013 09:44 AM

Re: ilo2 (2.15) PMTU discovery broken

I sent you a PM




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
0 Kudos
Reply
Oscar A. Perez
Honored Contributor

‎03-19-2013 10:46 AM

‎03-19-2013 10:46 AM

Re: ilo2 (2.15) PMTU discovery broken

We found the bug that broke Path MTU discovery in 2.12 and later and we are fixing it in the next iLO2 v2.20 that will be available on the FTP on early May 2013.




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
0 Kudos
Reply
Ivan_Kuznetsov
Occasional Contributor

‎07-17-2013 08:53 AM

‎07-17-2013 08:53 AM

Re: ilo2 (2.15) PMTU discovery broken

Hello!

 

It seems that PMTU discovery problem exists in iLO4 firmware too.

 

We have a customer far from us with two brand new DL360p Gen8 servers we should set up remotely. The servers has iLO4 Advanced I can reach through an IPsec VPN tunnel. I can ping iLO and ssh to it but can't reach the web interface. Tcp connection to https service is established but freezes quickly. I take tcpdump and see that some "big" packets (~1400 bytes) from iLO do not reach browser. We still investigate the problem but it looks similar the discussed above

 

iLO4 firmware version is 2.13

0 Kudos
Reply
Oscar A. Perez
Honored Contributor

‎07-18-2013 06:51 AM

‎07-18-2013 06:51 AM

Re: ilo2 (2.15) PMTU discovery broken

Please PM me a network trace if you can.




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
0 Kudos
Reply
TD-NorNet
Occasional Contributor

‎07-24-2013 04:09 AM

‎07-24-2013 04:09 AM

Re: ilo2 (2.15) PMTU discovery broken

The problem also occurs in my setup, with ilo2 firmware 2.15.

 

I have captured a pcap packet trace (stored here: http://www.exp-math.uni-essen.de/~dreibh/temp/ilo.pcap) on a router connecting a local Ethernet (MTU: 1500) with a VPN tunnel (MTU: 1472). The iLO machine is 10.1.2.241, the web browser is 10.1.1.50. When the iLO machine sends a 1500-byte packet, with Don't Fragment flag set in the IP header, the router correctly responds with an ICMP Fragmentation Needed. However, the iLO machine just ignoes that and keeps sending 1500-byte-packets as retransmissions -- which are dropped. The HTTPS connection therefore hangs.

 

When will there be a fix for this problem? I think trying to use iLO over a VPN is not that uncommon.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.