Problems accessing community.kde.org with non-1500 mtu connection

Ben Cooksley bcooksley at kde.org
Sun Jun 23 09:29:55 BST 2019


On Sat, Jun 22, 2019 at 10:05 PM Fabian Bläse <fabian at blaese.de> wrote:
>
> Hey Ben,

Hi Fabian,

>
> sorry for the delay, I've been busy as well.
>
> Due to their enterprise-foo security rules, they seem to not be interested in this problem.
> I'm sorry that I don't have the time to discuss this with them any further.

No worries. Their network setups have proven very unusual at times yes.

I assume our services protected by them are still accessible normally
over IPv4 from your networks?

>
> You might want to check if any firewalls are active on your services (if that is configurable) that might block ICMP(v6) messages.
> If not it looks like you have to contact them on your own. :-(

Our systems don't have any such firewalls so those shouldn't be an issue.

Chances are they'll request additional information (such as packet
captures) to diagnose the issue. Will you be in a position to provide
these if needed?

>
> Regards,
> Fabian

Cheers,
Ben

>
> On 17.05.19 23:48, Ben Cooksley wrote:
> > On Sun, May 5, 2019 at 8:22 AM Fabian Bläse <fabian at blaese.de> wrote:
> >>
> >> Hi,
> >
> > Hi Fabian,
> >
> >>
> >> On 04.05.19 09:52, Ben Cooksley wrote:
> >>> Okay. This is a rather strange issue as we've not seen any other
> >>> reports of people having issues accessing our sites, which I would
> >>> expect to receive if people were having issues with IPv4. My own
> >>> ability to do local testing is limited unfortunately, but I can
> >>> confirm my connection's MTU for IPv4 is most definitely less than 1500
> >>> and has no issue accessing the affected sites.
> >> For IPv4 this might be hidden by the fact, that mss clamping (dirty hack, only works for TCP) is done pretty much everywhere with smaller-than 1500 mtu.
> >> Even some really big companies like ubiquiti (who even make routers..) screw up the behaviour with icmp packet too big messages with IPv4 on their websites.
> >>
> >> With IPv6 Path MTU Discovery gets far more important however, because it does not allow fragmentation on router level.
> >>
> >>> Would you mind testing against our providers site, Imperva.com?
> >> I can't verify the behaviour for that site, because it isn't even connected to the (non-legacy, ipv6) internet.. (doesn't have an AAAA record)
> >> Jokes aside, it probably has the same issues.
> >> But because, as you already noticed, pings with big payload get dropped, I can't investigate this further (because, due to broken PMTUD on many sites, we have mss clamping active for IPv4)
> >>
> >>> As you're an ISP it might be easier to put you in direct contact with
> >>> them as chances are their entire network is affected.
> >> If you want I can contact them directly.
> >
> > If you could contact them directly I think that probably would be the
> > fastest way to get a resolution on this (otherwise they'll respond to
> > me, then i'll forward it on to you, which will just delay things). If
> > you need details to contact them please let me know.
> >
> > Sorry for taking so long to get back to you on this - things have been
> > quite busy lately.
> >
> >>
> >> Fabian
> >>
> >
> > Cheers,
> > Ben
> >
>


More information about the kde-www mailing list