StoneBlog.stonesoft.com

If there is a link with a smaller MTU somewhere between the VPN gateways, the router connected to the link will send ICMP fragmentation needed message (type 3, code 4) as a response to ESP packets that have DF bit set and that are bigger than the MTU.

However, only the MTU information is stored on the firewall at that time but no ICMP error message is sent to the endpoint of the original connection.

When the host in the internal network sends the following packet, that’s when the firewall handling the connection will reply with the ICMP error message.

written by RoarinPenguin - 3,846 views \\ tags: engine, fragmentation needed, ICMP, VPN

Sometimes there is a necessity to load-balance not only TCP/UDP sessions over a server pool but also redirect ICMP echo requests to the servers themselves. This is needed for troubleshooting purposes, or for probing real servers through a VIP (virtual IP) with a monitoring tool.
I observed the following default firewall behavior: it proxies all incoming ICMP packets and responds to them on behalf of itself, instead of forwarding them to the real servers in the pool, so playing with the server monitoring agent settings and “excluding” the servers from the pool does not affect the observed results at all.
To force the firewall to “move on” ICMP packets I unchecked the “proxy ARP entry generation” in the “External addresses” section properties. After that the firewall did his job correctly (as I expected at least )

written by DR - 2,763 views \\ tags: balance, ICMP, load