Hello, This issue happens when the don't defragment bit is set, and MTU path discovery is unavailable due to uninformed firewall administrators who think "ALL ICMP IS BAD". There are certainly ICMP based attacks but they don't warrent completly killing off ICMP. What would be nice is for VPNs to simply (within the tunnel) ignore the don't defragment bit, or to have a DHCP option that could be used to set the Max MTU size for the local network. It is possible to set the MTU for an interface to somthing under 1400 and eliminate this problem (Q120642) but it is not ideal. Bill -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Thursday, June 26, 2003 10:32 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: AW: Online Banking Issues http://www.ISAserver.org Hi John, Excellent info! Someone else brough up the PMTU discovery issue for his university network, which created its own problems. I stand corrected on this issue :) Thanks! Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx] Sent: Thursday, June 26, 2003 9:23 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: AW: Online Banking Issues http://www.ISAserver.org > This is what I am suspecting, and I have no problem making a registry = change for > the oddball site, or a config file change if needed for the = same thing, but for > national banking firms, they better get their = 'stuff' strait. They still say they are > working with Microsoft to get it = fixed. I'll let the group know when they get it fixed, > and what they did = if they will tell me. Before we shoot the site programmers, it may not be entirely there fault. I still have a suspicion that it is more of a security firewall issue. Here is my conclusion on the issue I was working on for a client a month ago: "05/19/03 6:00 PM Case wrapup. It appears this issued was caused by a change in the way WellsFargo does a security check on the inbound packets. The SonicWall is set to fragment outgoing packets at 1404 to resovle a blackhole router issue setting up VPN with Toronto, that was done in December of 2001. Normally then, if the client does not discover the recipient MTU, the firewall will repackage the packets to the small size. I received more information about this from the Imail Forum group where one person said they are probably blocking ICMP Code 3 Type 4 which would screw up the MTU path discovery, which would have allowed the client to switch automaticly to a smaller MTU size. So, by forcing the clients to use a MTU packet size of 1400, the outbound packets were never fragmented, and thereby never changed. This also requires updates Q810847 and Q813951 to be installed on the client." So, if the client, or even their firewall/router, is not able to discover the MTU path, and the packets are fragmented at some point, the problem appears. This is also why the problem does not occur with regular websites, only SSL where there is additional overhead added to the packets. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: wtholmes@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')