Web server and OpenVPN server are connected at 1Gbps through an unmanaged switch. It appears that some frames from the web server are jumbo frames exceeding 1500 octets even though the interfaces are configured to 1492. The connection between the client and the openVPN server is via an ISP offering native IPv6 (dual stack). The client and server are on different ADSL services. Cisco routers are used on both services at the client and server ends and these are configured to allow ICMPv6 unreachable messages to support PMTUD. Only one ISP exchange/central station is traversed but this appears to be using a Cisco ASA 5500 series firewall or similar features in their router(s). The address of the device issuing the ICMPv6 unreachable messages has been partially anonymised by replacing the top 64bits with 2001:db8:0:3 It has been observed that sequence number randomisation is being applied by the ISP to IPv6 in both directions (a default feature of the Cisco ASA and some other firewalls and ISP CE routers). What we see in the samples is that an HTTP request has caused the server (192.168.1.1) to send to the browser (192.168.6.132) a large frame. In sample 1 see line nos 8 and 26 and sample 2 lines 1 and 5 which are received by the OpenVPN server. OpenVPN proceeds to encrypt the complete HTTP/TCP/IPv4 packet This will be passed to the stack using sendmsg() or sendto() function which will then complete the transport envelope resulting in the packets sent from 2001:db8:0:1… (server) to 2001:db8:0:2… (client). In each case one of these messages has and IPv6 UDP extension header and Wireshark reports this as an IPv6 fragment. The ISP router is disallowing the extension headers as per standard security and performance recommendations. Fragments can not be validated until they are reassembled and reassembly opens the door for DoS-ing of the firewall besides adding latency. So as a result the ISP device sends back an ICMPv6 unreachable with code administratively prohibited (source 2001:db8:0:3…). This way no errors are thrown if the last field is 1 character short of its assigned length (if the CR character was not included).This can be seen in Sample 1 at 17 (ICMPv6 rate limit may be blocking the second message). However, in order to still be able to handle the LF line delimiters, make sure you set the 'Allow Early Termination' flag to TRUE. The solution is to increase the length of the 8th field (which is a Filler field in my case) by 1. In my scenario, each line record that was parsed contains 8 positional fields, so having an extra CR character at the end resulted in an error due to Biztalk expecting a certain length for the last field that does not account for the additional CR character. Notice that since the LF and CRLF delimiters have different lengths (1 and 2 characters respectively), I had to do a couple more changes to the schema to ensure that both are handled correctly. One can get rid of the extra CR character using a dummy field to absorb the CR character or by using a map. This works correctly for extracting the full records (with the side effect of having one extra CR character at the end when CRLF is the delimiter). Since LF and CRLF both share the LF character, I set the line delimiter as LF (0x0A). Here is the solution in case anyone else is wondering:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |