The PhoneBoy Blog

Simplifying Telecom, Mobile Phones, Gadgets, and More!

FireWall-1 FAQ: VPNs fail when transferring large packets

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.

I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.

If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)

Some applications set the "Don't Fragment" bit on certain packets. When the IPSEC headers are added onto the already large packet, caused by, say, the transfer of large files, the packet basically requires fragmentation in order to pass. When Check Point creates the IPSEC packet, the Don't Fragment bit it passed onto the new packet. The end result, a packet that requires fragmentation to pass, but has the Don't Fragment bit set, so can't be fragmented. Packet gets dropped.

In FireWall-1 NG, you can force FireWall-1 to clear the Don’t Fragment bit by changing the ipsec_dont_fragment property in objects_5_0.C to false. You do this with the following commands in dbedit on the management console (craig is the firewall in this example) or use GUIdbedit to change the parameter:

    dbedit> modify network_objects craig VPN:ipsec_dont_fragment false
    dbedit> update network_objects craig

For Solaris In FireWall-1 4.1, you can force FireWall?-1 to clear the Don't Fragment bit by setting the fw_ipsec_dont_fragment kernel variable as follows:

    set fw:fw_ipsec_dont_fragment=0x0

To make this change without rebooting:

    echo "fw_ipsec_dont_fragment?w 0x0" | adb -w -k /dev/ksyms /dev/mem

For HPUX 9 Use the following command and reboot the gateway:

    # echo "fw_ipsec_dont_fragment?W0" | adb -w /hp-ux

For HPUX 10 Use the following command and reboot the gateway:

    # echo "fw_ipsec_dont_fragment?W0" | adb -w /stand/vmunix

For AIX Use the following commands:

    # fwstop
    # echo "fw_ipsec_dont_fragment?W0" | adb -w $FWDIR/modules/fwmod.4.x.o
    # fwstart

For Windows NT I do not know how to make this change on NT.

Editors Note: If someone discovers how to do this - please let us know.

For IPSO (VPN-1 Appliance or Nokia IPxxx), you will need to get the 'modzap' utility from Resolution 1261 in Nokia's Knowledge Base. You can then use the following command line to modify the fwhmem parameter and reboot the system:

    # modzap -s _fw_ipsec_dont_fragment $FWDIR/modules/fwmod.o 0x0 

For Linux Add the following to $FWDIR/boot/modules/fwkern.conf and restart FireWall?-1:


SecuRemote and Large File Transfers

The above applies also when using SecuRemote.

Note that problems with large file transfers can also occur with SecuRemote builds earlier than 4115 when using FWZ and MD5 checksums. The fix here is to use IKE/ISAKMP or disable MD5 checksums (or upgrade).

C-List #Cybersecurity Celebrity, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.