The original posting is included at the end of this email. Many thanks to the following: joe.fletcher@btconnect.com Bruce Newcomer [bruce_newcomer@technologist.com] Bill - [sysadm@its.brooklyn.cuny.edu] Crist Clark [crist.clark@globalstar.com] Steve Flaherty [steve@unminc.com] Both Joe and Bill nicely summed it up: "Take a look at patch 110723-06 Files included with this patch: /kernel/drv/sparcv9/eri Problem Description: 4797731 ethernet frame length on outgoing ip packets over eri too long 4833490 Inconsistent behaviour on rx when data is 45 and 46 bytes" This fixed the problem. Thanks all for helping out. Best regards - Tony Miller ==========================Original Posting=============================================== I am sorry to be a bit vague here, but here is the problem. We have just completed some testing and research into the NetScreen firewalls and we have located a problem that is a combination of the way the NetScreens filters packets and the manner in which Solaris creates them. Our network guys have advised that later versions of Solaris pad the IP packet payload to a size greater than the TCP segment. The NetScreen firewall verifies that the total size of the frame, payload lengths and packet headers all match and a failure causes the firewall to drop the packet. Retransmissions don't solve the problem as the NetScreen will consistently drop them. This fault obviously causes major connectivity issues for Solaris running particular versions of code. While it is possible to circumvent the problem on each individual copy of these operating systems the only global solution is to implement a later version of the NetScreen ScreenOS which doesn't check the IP payload length against the segment lengths. This behaviour is perfectly acceptable in an RFC (think back to the days of Token Ring when there wasn't a concept of variable length frames) but Linux and Solaris are the only (reported) operating systems that create such frames and even then only in certain circumstances. We have Solaris-8 systems on both sides of the firewall. Systems with QFE interfaces can successfully talk across the firewall but systems with eri interfaces do not - and exhibit the above problem. These are the only differences we can see. I can provide additional information and software versions if required. I am hoping however for some general pointers as to a possible resolution. This is really causing us a big headache. +----------------------------------------+ | TONY MILLER | Team Leader : Technical Projects, | VODAFONE LTD, | Derby House, | Newbury Business Park, | Newbury, Berkshire. | | Phone +44 (0)1635-677687(local) | Mobile +44 (0)7766-028752 | Email anthony.miller@vf.vodafone.co.uk | FAX +44 (0)1635-233517 +------------------------------------------- _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Wed Jul 23 10:42:44 2003
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:17 EST