Hello all!

We have connected several remote offices with bm37 site to site vpn to our
main department.
All remote offices should use our main proxy. But they have problems opening
some web pages.
As far we have found that this problem is because of different mtu sizes.

When we set the mtu at the local proxy to 1350 everything works fine for all
the web pages.

But normaly the proxy would use the default ethernet frame size and our vpn
servers are configured with "always allow ip fragmentation". At that
configuration the central vpn master fragments the packet and sends it to
the remote office. There we have restriced access with some packet filter
rules. The remote office server discards then always SOME of the fragmented
packets. even there is no rule to do this ! When we unload ipflt, filtsrv it
works. I have changed our packet filters so that the filter list is empty
and the exception list contains rules for all three interfaces. But the
packets are still discarded. When I activate filter debug und the apropriate
tcp filter debug I can see the exact information about the discarded packet
in the logger screen. When I create a dedicated rule matching to this packet
it still doesn't work. The set parameter "Filter Fragmented Packets Discard"
is always set to off!

Can this be a problem with the filter module ?

We have applied new tcp stacks, bm37sp4, nw6sp4, changed different set
parameters ... but still no success.

One question is if mtu path discovery is implemented in the tcpip stack
(proxy is nw51sp5, vpns are nw6sp3) and it should work ? So we just have to
disable "always allow ....".

Or do we have to set the mtu size at all computers at the remote offices to
1350 and ddeactivate "always allow ip fragmentation" at the vpn servers ?

Or is it a problem with the filter engine ?

Thanks for help.