RE: SUMMARY : Connectivity issues with NetScreen Firewalls and Linux/Solaris

From: Miller, Anthony, A, Tech Dev, VF UK <>
Date: Wed Jul 23 2003 - 10:42:48 EDT
The original posting is included at the end of this email.

Many thanks to the following:
Bruce Newcomer []
Bill - []
Crist Clark []
Steve Flaherty []

Both Joe and Bill nicely summed it up:

"Take a look at patch 110723-06

Files included with this patch:

Problem Description: 4797731 ethernet frame length on outgoing ip packets
over eri too long 4833490 Inconsistent behaviour on rx when data is 45
and 46 bytes"

This fixed the problem.

Thanks all for helping out.

Best regards - Tony Miller

		I am sorry to be a bit vague here, but here is the problem.

		We have just completed some testing and research into the NetScreen
firewalls and we have located a problem that is a combination of the way the
NetScreens filters packets and the manner in which Solaris creates them.

		Our network guys have advised that later versions of Solaris pad the IP
packet payload to a size greater than the TCP segment.  The NetScreen
verifies that the total size of the frame, payload lengths and packet headers
all match and a failure causes the firewall to drop the packet.
Retransmissions don't solve the problem as the NetScreen will consistently
drop them.

		This fault obviously causes major connectivity issues for Solaris running
particular versions of code.  While it is possible to circumvent the problem
on each individual copy of these operating systems the only global solution
to implement a later version of the NetScreen ScreenOS which doesn't check
IP payload length against the segment lengths.

		This behaviour is perfectly acceptable in an RFC (think back to the days of
Token Ring when there wasn't a concept of variable length frames) but Linux
and Solaris are the only (reported) operating systems that create such frames
and even then only in certain circumstances.

		We have Solaris-8 systems on both sides of the firewall.  Systems with QFE
interfaces can successfully talk across the firewall but systems with eri
interfaces do not - and exhibit the above problem.  These are the only
differences we can see.

		I can provide additional information and software versions if required.  I
am hoping however for some general pointers as to a possible resolution.
is really causing us a big headache.

|    Team Leader : Technical Projects,
|                  VODAFONE LTD,
|                  Derby  House,
|                  Newbury Business Park,
|                  Newbury, Berkshire.
|    Phone        +44 (0)1635-677687(local)
|    Mobile       +44 (0)7766-028752
|    Email
|    FAX          +44 (0)1635-233517
sunmanagers mailing list
Received on Wed Jul 23 10:42:44 2003

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:17 EST