Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Cannot change MTU Size on External NIC

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> Cannot change MTU Size on External NIC Page: [1]
Login
Message << Older Topic   Newer Topic >>
Cannot change MTU Size on External NIC - 27.Apr.2006 3:05:18 PM   
klaeger

 

Posts: 88
Joined: 15.Feb.2002
From: Jona, Switzerland
Status: offline 		There is a Problem with the TCP Packetsize on my new ISA Server 2004, wit ISA 2000 it worked correctly

My MTU Setting on external Interface is 1374 on both Servers

With my New ISA 2004 i have Trobles and made a Sniff on external Interface

The Result is here:

Working Case on old ISA Server 2000:
---------------------------------------
Frame 101 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: xx:xx:xx:xx:xx:xx (xx:xx:xx:xx:xx:xx), Dst: xx:xx:xx:xx:xx:xx(xx:xx:xx:xx:xx:xx)
Internet Protocol, Src: 172.20.20.32 (172.20.20.32), Dst: 194.209.245.105 (194.209.245.105)
Transmission Control Protocol, Src Port: 1276 (1276), Dst Port: 211 (211), Seq: 3262303794, Len: 0
  Source port: 1276 (1276)
  Destination port: 211 (211)
  Sequence number: 3262303794
  Header length: 28 bytes
  Flags: 0x0002 (SYN)
  Window size: 64512
  Checksum: 0x783a [correct]
  Options: (8 bytes)
      Maximum segment size: 1460 bytes
      NOP
      NOP
      SACK permitted
 
Frame 102 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: xx:xx:xx:xx:xx:xx(xx:xx:xx:xx:xx:xx), Dst: xx:xx:xx:xx:xx:xx(xx:xx:xx:xx:xx:xx)
Internet Protocol, Src: 194.209.245.105 (194.209.245.105), Dst: 172.20.20.32 (172.20.20.32)
Transmission Control Protocol, Src Port: 211 (211), Dst Port: 1276 (1276), Seq: 4291314383, Ack: 3262303795, Len: 0
  Source port: 211 (211)
  Destination port: 1276 (1276)
  Sequence number: 4291314383
  Acknowledgement number: 3262303795
  Header length: 28 bytes
  Flags: 0x0012 (SYN, ACK)
  Window size: 65535
  Checksum: 0x31e8 [correct]
  Options: (8 bytes)
      Maximum segment size: 1374 bytes  <------ here the server comes back with a smaller MTU size
        NOP
      NOP
      SACK permitted
 
Not working Case on ISA 2004:
--------------------------------
Frame 93 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: xx:xx:xx:xx:xx:xx(xx:xx:xx:xx:xx:xx), Dst: xx:xx:xx:xx:xx:xx(xx:xx:xx:xx:xx:xx)
Internet Protocol, Src: 62.65.157.242 (62.65.157.242), Dst: 194.209.245.105 (194.209.245.105)
Transmission Control Protocol, Src Port: 6348 (6348), Dst Port: 211 (211), Seq: 2067110670, Len: 0
  Source port: 6348 (6348)
  Destination port: 211 (211)
  Sequence number: 2067110670
  Header length: 28 bytes
  Flags: 0x0002 (SYN)
  Window size: 64512
  Checksum: 0xc2cc [correct]
  Options: (8 bytes)
      Maximum segment size: 1460 bytes
      NOP
      NOP
      SACK permitted
 
Frame 94 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: xx:xx:xx:xx:xx:xx(xx:xx:xx:xx:xx:xx), Dst: xx:xx:xx:xx(xx:xx:xx:xx)
Internet Protocol, Src: 194.209.245.105 (194.209.245.105), Dst: xx:xx:xx:xx(xx:xx:xx:xx)
Transmission Control Protocol, Src Port: 211 (211), Dst Port: 6348 (6348), Seq: 4288342089, Ack: 2067110671, Len: 0
  Source port: 211 (211)
  Destination port: 6348 (6348)
  Sequence number: 4288342089
  Acknowledgement number: 2067110671
  Header length: 28 bytes
  Flags: 0x0012 (SYN, ACK)
  Window size: 17520
  Checksum: 0x9267 [correct]
  Options: (8 bytes)
      Maximum segment size: 1460 bytes  <---- here are the 1460
      NOP
      NOP
      SACK permitted
 
 
 
Do somebody else has similar problems with the MTU Setting ?
I can set in what i want, using PathMTU Detection or not, the Result is everytime the same
 
 
Suggestions
 
 
Thanks
Daniel


< Message edited by klaeger -- 27.Apr.2006 3:08:28 PM >
Post #: 1
RE: Cannot change MTU Size on External NIC - 28.Apr.2006 3:27:34 PM   
klaeger

 

Posts: 88
Joined: 15.Feb.2002
From: Jona, Switzerland
Status: offline 		I'm in contact with Microsoft and at the moment it looks like the communication directly on ISA Server works fine but when a secure nat client communication or a firewall communication is initiated the setting of the packetsize always was 1460 what's wrong. Maybe there is a fault in the Firewall Engine. Microsoft informs me soon about that behavior



_____________________________

Thanks, Daniel

Man grows cold faster than the planet he inhabits : Albert Einstein

(in reply to klaeger)
Post #: 2
RE: Cannot change MTU Size on External NIC - 4.May2006 7:49:53 AM   
klaeger

 

Posts: 88
Joined: 15.Feb.2002
From: Jona, Switzerland
Status: offline 		Yesterday, a microsoft supporter from the german isa team helped me to find a workaround.

In fact, the SecureNat and the Firewall Client communicated thru the KernelMode Data Pump and in this constellation they never got the right MTU Size from Server. Microsoft has to fix this problem in the fweng.sys.

In the meantime i had to change the setting in the general configuration, ip settings, routing. There i had to remove the setmark.
the microsoft  supporter said that ip routing is not exactly what this setting is doing. It has something to do with the Kernel Mode Data Pump. When the Mark is not set here the SecureNat and the Firewall Client workes in Usermode like the Webproxy Client and get the right MTU Size. The price is only a little bit of performance.



_____________________________

Thanks, Daniel

Man grows cold faster than the planet he inhabits : Albert Einstein

(in reply to klaeger)
Post #: 3
RE: Cannot change MTU Size on External NIC - 14.Jun.2006 10:46:32 AM   
klaeger

 

Posts: 88
Joined: 15.Feb.2002
From: Jona, Switzerland
Status: offline 		This needs to be fixed by the upcoming Microsoft KB919621 Article provided Solution.

(in reply to klaeger)
Post #: 4
RE: Cannot change MTU Size on External NIC - 21.Jun.2006 1:07:51 AM   
jtnf

 

Posts: 20
Joined: 24.May2006
Status: offline
quote:

ORIGINAL: klaeger

This needs to be fixed by the upcoming Microsoft KB919621 Article provided Solution.



I may be suffering similar issues, but can not find KB919621... Can you summarize what you've learned until Microsoft publishes this KB?

(in reply to klaeger)
Post #: 5
RE: Cannot change MTU Size on External NIC - 28.Jun.2006 10:43:16 AM   
klaeger

 

Posts: 88
Joined: 15.Feb.2002
From: Jona, Switzerland
Status: offline
quote:

Can you summarize what you've learned until Microsoft publishes this KB?


A Workaround for this issue is to disable Routing in the Ip Preferences Section. This means not generally IP Packet routing but routing thru the firewall engine.

Microsoft fixed the firewall engine and they give out this fix on demand.
After downloading and installing a script needs to be executed to activate the hotfix.


Microsoft wrote:

PROBLEM:
After Installing ISA Server 2004 in on of your locations you noticed that certain outbound traffic is not established correctly. This affected all Firewall Client traffic that was not handled by an Application Filter in ISA Server. In Network traces we could see that ISA Server was not using the correct MSS value for the link and therefore the packets got dropped by Routers on the internet
CAUSE:
There was a Bug in ISA Server 2004 that did not handle the MTU checking correctly
RESOLUTION:
Install ISA Server Hotfix 919621 and run the provided vbs script to activate the Hotfix

Script Code:

BEGIN_OF_VBS_SCRIPT
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'
' Copyright (c) Microsoft Corporation. All rights reserved.
' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE
' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS
' HEREBY PERMITTED.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' This script adds a new VendorParametersSets under the array root.
' Used to added new parameters that are needed for hotfixes or service packs.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Sub AddReadMTUregistry()
   ' Create the root obect.
   Dim root  ' The FPCLib.FPC root object
   Set root = CreateObject("FPC.Root")
   'Declare the other objects needed.
   Dim array       ' An FPCArray object
   Dim VendorSets  ' An FPCVendorParametersSets collection
   Dim VendorSet   ' An FPCVendorParametersSet object
   ' Get references to the array object
   ' and the network rules collection.
   Set array = root.GetContainingArray
   Set VendorSets = array.VendorParametersSets
   On Error Resume Next
   Set VendorSet = VendorSets.Item( "{143F5698-103B-12D4-FF34-1F34767DEabc}" )
   If Err.Number <> 0 Then
       Err.Clear
       ' Add the item
       Set VendorSet = VendorSets.Add( "{143F5698-103B-12D4-FF34-1F34767DEabc}" )
       CheckError
       WScript.Echo "New VendorSet added... " & VendorSet.Name
   Else
       WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value("AllowVLANandNLB")
   End If
   if VendorSet.Value("ReadInterfaceMTU") <> true Then
       Err.Clear
       VendorSet.Value("ReadInterfaceMTU") = true
       If Err.Number <> 0 Then
           CheckError
       Else
           VendorSets.Save false, true
           CheckError
           If Err.Number = 0 Then
               WScript.Echo "Done with ReadInterfaceMTU, saved!"
           End If
       End If
   Else
       WScript.Echo "Done with ReadInterfaceMTU, no change!"
   End If
End Sub
Sub CheckError()
   If Err.Number <> 0 Then
       WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
       Err.Clear
   End If
End Sub
AddReadMTUregistry  
END_OF_VBS_SCRIPT


_____________________________

Thanks, Daniel

Man grows cold faster than the planet he inhabits : Albert Einstein

(in reply to jtnf)
Post #: 6
RE: Cannot change MTU Size on External NIC - 4.Jul.2006 9:01:51 PM   
sideshowtob

 

Posts: 3
Joined: 4.Jul.2006
Status: offline 		I have been having a simmilar issue,  but disabling the IP routing in the kernel mode seems to have helped.  Thanks!

I can't see the hotifx on Premier Support yet though.  Don't suppose yours is the English version?

(in reply to klaeger)
Post #: 7
RE: Cannot change MTU Size on External NIC - 25.Jul.2006 2:20:51 PM   
photonmonkey

 

Posts: 1
Joined: 25.Jul.2006
Status: offline
We disabled routing and the world is a better place. 
Some symtoms included:
-internal clients cant RDP to an external test network throught the ISA server
-SOME external clients CAN access internal terminal server, some cant.
-internal clients cant access HTTPS sites unless they use the proxy server (secure nat doenst work as expected)
-ISA is causing nausea and chest pain when used on a production basis.

WHERES THE PATCH!

(in reply to sideshowtob)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> Cannot change MTU Size on External NIC Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts