CrOS - kMss / fragmented packets issues on VPN
Reported by
arnaud.h...@airliquide.com,
Sep 14 2016
|
|||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; CrOS x86_64 8530.81.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.103 Safari/537.36 Platform: Platform 8530.81.0 (Official Build) stable-channel chell Example URL: www.google.com Steps to reproduce the problem: 1. Establish OTP VPN connection 2. Go to www.google.com 3. TIME_OUT What is the expected behavior? Get internet and internal network while connecting to VPN. Modify kMss on Chrome devices to 1360 as Windows OS. What went wrong? Chromebooks have a set MSS (= network packet size, roughly speaking) that's hard to change and that seems to interact negatively with the network while connecting to VPN gateways : The packet size is too high, so the packet gets fragmented (cut up into smaller packets) and they end up dropped at some point. Did this work before? No Chrome version: 53.0.2785.103 Channel: stable OS Version: 8530.81.0 Flash Version: Shockwave Flash 22.0 r0 Changing the MSS on the core network routers might work, but they are critical infrastructure, so it's not clear the pros outweighs the cons. VPN gateways : JUNIPER Proxy : ZSCALER
,
Sep 29 2016
,
Oct 1 2016
The following revision refers to this bug: https://chromium.googlesource.com/aosp/platform/system/firewalld/+/87c3339226126dfdbd70c7e7cd5fd35d599affba commit 87c3339226126dfdbd70c7e7cd5fd35d599affba Author: Kevin Cernekee <cernekee@google.com> Date: Thu Sep 29 23:56:28 2016 Make sure all iptables commands use -w iptables invocations that happen in parallel can "collide" with each other, resulting in intermittent failures. The `-w` flag prevents this. BUG= chromium:646827 TEST=`FEATURES=test emerge-link firewalld` Change-Id: Id0f8d982379b3dcaa87a08add8e24f434e0f0ae8 Reviewed-on: https://chromium-review.googlesource.com/391041 Commit-Ready: Kevin Cernekee <cernekee@chromium.org> Tested-by: Kevin Cernekee <cernekee@chromium.org> Reviewed-by: Luigi Semenzato <semenzato@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> [modify] https://crrev.com/87c3339226126dfdbd70c7e7cd5fd35d599affba/iptables.cc
,
Oct 1 2016
The following revision refers to this bug: https://chromium.googlesource.com/aosp/platform/system/firewalld/+/b1ad0373613728b9f2457d2d04d4b7338537c16c commit b1ad0373613728b9f2457d2d04d4b7338537c16c Author: Kevin Cernekee <cernekee@google.com> Date: Thu Sep 29 23:53:54 2016 Add TCPMSS rule when setting up VPNs Third-party VPNs use policy routing to reroute Chrome/chronos traffic through the tunnel. This causes the MSS on TCP SYN packets to reflect the MTU from the original interface, not the tunnel MTU. Add a firewall rule that fixes this. BUG= chromium:646827 TEST=manually verify MSS via tcpdump TEST=`FEATURES=test emerge-link firewalld` Change-Id: Ib1554bf8c3b061fde5a28c33b6df7a554c6c2686 Reviewed-on: https://chromium-review.googlesource.com/391040 Commit-Ready: Kevin Cernekee <cernekee@chromium.org> Tested-by: Kevin Cernekee <cernekee@chromium.org> Reviewed-by: Luigi Semenzato <semenzato@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> [modify] https://crrev.com/b1ad0373613728b9f2457d2d04d4b7338537c16c/iptables.cc
,
Oct 1 2016
The following revision refers to this bug: https://chromium.googlesource.com/aosp/platform/system/firewalld/+/87c3339226126dfdbd70c7e7cd5fd35d599affba commit 87c3339226126dfdbd70c7e7cd5fd35d599affba Author: Kevin Cernekee <cernekee@google.com> Date: Thu Sep 29 23:56:28 2016 Make sure all iptables commands use -w iptables invocations that happen in parallel can "collide" with each other, resulting in intermittent failures. The `-w` flag prevents this. BUG= chromium:646827 TEST=`FEATURES=test emerge-link firewalld` Change-Id: Id0f8d982379b3dcaa87a08add8e24f434e0f0ae8 Reviewed-on: https://chromium-review.googlesource.com/391041 Commit-Ready: Kevin Cernekee <cernekee@chromium.org> Tested-by: Kevin Cernekee <cernekee@chromium.org> Reviewed-by: Luigi Semenzato <semenzato@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> [modify] https://crrev.com/87c3339226126dfdbd70c7e7cd5fd35d599affba/iptables.cc
,
Oct 3 2016
Requesting late merge into M54. Test procedure: - Connect to third party VPN (such as AnyConnect). - Verify that TCP MSS on SYN packets is 1460 on an unpatched build, and <1460 (probably in the 13xx range) on a patched build. - Connect to other VPN types (third party, L2TP, OpenVPN) and verify that there wasn't a regression.
,
Oct 3 2016
BTW, the TCP MSS verification is done using something like `tcpdump -n -i tun0` on the Chrome OS host.
,
Oct 3 2016
Your change meets the bar and is auto-approved for M54 (branch: 2840)
,
Oct 3 2016
The following revision refers to this bug: https://chromium.googlesource.com/aosp/platform/system/firewalld/+/8193beca4ed7ee704793d4cebb50543516add591 commit 8193beca4ed7ee704793d4cebb50543516add591 Author: Kevin Cernekee <cernekee@google.com> Date: Thu Sep 29 23:53:54 2016 Add TCPMSS rule when setting up VPNs Third-party VPNs use policy routing to reroute Chrome/chronos traffic through the tunnel. This causes the MSS on TCP SYN packets to reflect the MTU from the original interface, not the tunnel MTU. Add a firewall rule that fixes this. BUG= chromium:646827 TEST=manually verify MSS via tcpdump TEST=`FEATURES=test emerge-link firewalld` Change-Id: Ib1554bf8c3b061fde5a28c33b6df7a554c6c2686 Reviewed-on: https://chromium-review.googlesource.com/391040 Commit-Ready: Kevin Cernekee <cernekee@chromium.org> Tested-by: Kevin Cernekee <cernekee@chromium.org> Reviewed-by: Luigi Semenzato <semenzato@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> (cherry picked from commit b1ad0373613728b9f2457d2d04d4b7338537c16c) [modify] https://crrev.com/8193beca4ed7ee704793d4cebb50543516add591/iptables.cc
,
Oct 3 2016
,
Oct 7 2016
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 7 2016
,
Oct 7 2016
,
Oct 21 2016
Issue 658296 has been merged into this issue.
,
Nov 19 2016
,
Jan 21 2017
,
Mar 4 2017
,
Apr 17 2017
,
May 30 2017
,
Aug 1 2017
,
Oct 14 2017
|
|||||||||||||||
►
Sign in to add a comment |
|||||||||||||||
Comment 1 by bmcquade@chromium.org
, Sep 14 2016