New issue
Advanced search Search tips

Issue 658296 link

Starred by 1 user
Status: Duplicate
Merged: issue 646827
Owner: ----
Closed: Oct 2016
Cc:
benchan@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug



Sign in to add a comment

vpnProvider: TCP traffic with TCP/MSS=1460 with tun0 MTU of 1400 fails with ICMP blocking

Project Member Reported by kspie...@pulsesecure.net, Oct 21 2016 
Version: Stable channel 53
OS: ChromeOS

What steps will reproduce the problem?
(1) Create a VPN connection and connect.  Which will create tun0 with MTU size of 1400.
(2) browse to a web page with packet capture enabled on the VPN device internal interface.
(3) You will see the web page TCP/MSS is 1460.

What is the expected output?
We expect the TCP/MSS to be 1360 in this scenario.

What do you see instead?
We see the TCP/MSS is 1460.

We see the ChromeOS is setting the TCP/MSS for packets going through the VPN tunnel to 1460. We are expecting the MSS to be 1360 as we set the tun0 MTU to 1400.
 
The only reason the VPN works is because we are getting ICMP Destination Unreachable fragmentation needed errors. The PMTU calculation significantly slows down browser activity as it is causing large packets to be retransmitted.
 
Our customer unfortunately is blocking ICMP traffic: so the ChromeOS VPN client fails with any large packets.

Using this setting as suggested by google, clamps the MSS to the tun0.
    iptables -t mangle -A POSTROUTING -p tcp -o tun0 --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu



From google engineering:
 
I can reproduce this on my test server if I sniff the packets and manually verify the MSS:
 
15:13:01.866795 ip: 192.168.32.25.39627 > 10.1.1.1.1234: Flags [S], seq 1206526468, win 14600, 
options [mss 1460,sackOK,TS val 118171888 ecr 0,nop,wscale 7], length 0
 
It doesn't really cause an issue for me because the VPN gateway is set up to clamp the TCP MSS of the forwarded packets based on the next-hop:
 
    iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 
but I could see how it might be a problem on a setup that expects the client to clamp the MSS based on the tun0 MTU.
 
 
Android had a similar problem when they switched over to policy based routing a few years ago:
 
https://code.google.com/p/android/issues/detail?id=61948
http://b/11579326 [internal]
 
Their remedy was to add a new rule on the client side.  Does this fix it for you?
 
    iptables -t mangle -A POSTROUTING -p tcp -o tun0 --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

Comment 1 by cernekee@chromium.org, Oct 21 2016

Mergedinto: 646827
Status: Duplicate (was: Untriaged)

Sign in to add a comment