In the recent Barracuda CloudGen Firewall Demo lab, I encountered a strange scenario; a Windows 10 PC can access some HTTPS websites, such as Google, Youtube, and Barracuda.com. However, this PC can’t open other HTTPS websites, such as Yahoo. The same thing happens to other Windows PC and Ubuntu Desktop that under the same network segment. What could be the root cause? How can we carry out the troubleshooting?
Network Diagram and Description:
This Demo lab environment includes a Home Router, Barracuda CloudGen Firewall F18, Layer 2 Switch, One Windows PC: WIN10-DMZ, and IP:192.168.60.25 in the default VLAN/DMZ-NET 192.168.60.0/24; and the second Windows 10 PC WIN10-LAN, and IP: 192.168.80.12 in the VLAN20/LAN-NET Network192.168.80.0/24.
WIN10-DMZ (192.168.60.25) can access the Internet without any issue. However, WIN10-LAN (192.168.80.12) can open Google and Barracuda.com websites but can’t open the Yahoo website.
Troubleshooting & Verification:
Carry out Ping www.yahoo.com and Ping 8.8.8.8 at WIN10-LAN PC. The result shows that basic Internet access & DNS should be working.
At WIN10-LAN, Run Ping www.yahoo.com -f -l 1473
-f: Set don’t fragment flag, so this Ping test will not fragment the Packet
-l: the Send buffer size over this ICMP test
Why do I use 1473?
The default Maximum Transmission Unit (MTU) size of an Ethernet interface is 1500 bytes, which includes IP header 20 bytes, TCP Header 20 bytes, and Maximum Data Payload 1460 bytes.
When using ICMP for this testing, the same MTU size 1500 bytes, includes IP header 20 bytes, ICMP Header 8 bytes, and Maximum Data Payload becomes 1472.
MSS/Data Payload in ICMP = 1500 (MTU) – 20 (IP Header) – 8 (ICMP) = 1472
When using 1473 for the Ping test, the packet size is 1 byte higher than the default MTU value, and the Packet should require fragment.
The result shows the Packet needs to be fragmented but DF set.
At WIN10-LAN, Run Ping www.yahoo.com -f -l 1472
The result shows request timed out.
At WIN10-LAN, Run Ping www.yahoo.com -f -l 1468
The result shows the reply from Yahoo
Why WIN10-LAN PC can not use 1472 data payload for the Ping test? Why 1468 data payload can get a reply response?
Anything wrong with the Router, Firewall, or switch configuration?
Then, I used the default VLAN network PC WIN10-DMZ 192.168.60.25 to carry out the same test.
At WIN10-DMZ Ping www.barracuda.com and Ping 8.8.8.8
The result shows that basic Internet access & DNS should be working.
At WIN10-DMZ, Run Ping www.barracuda.com -f -l 1473
The result shows the Packet needs to be fragmented but DF set
At WIN10-DMZ, Run Ping www.barracuda.com -f -l 1472
The result shows the reply from Barracuda.com
At WIN10-DMZ, Run Ping www.yahoo.com -f -l 1472
The result shows the reply from Yahoo
Root Cause Analysis:
What’s the difference between DMZ-NET 192.168.60.0/24 and LAN-NET 192.168.80.0/24?
DMZ-NET belongs to the default VLAN, and it is using untagged traffic to transmit the data.
LAN-NET belongs to VLAN 20, and it requires additional 4 bytes VLAN tag in the Ethernet frame; that’s why WIN10-LAN only allows 1468 payload data for the ping, which is 4 bytes lower than WIN10-DMZ.
Solution:
Since the VLAN 20 is terminated at the Barracuda CloudGen Firewall, so I updated the Firewall Configuration and set the Maximum Segment Size (MSS) to 1456 for VLAN 20 subnet.
MSS = Maximum Data Payload
= 1500 – 20 (TCP) – 20 (IP) – 4 (VLAN) = 1456 bytes.
Lessons Learned:
The default MTU Size of the Firewall is 1500 bytes; when a full-size data payload with 1460 bytes, together with the additional VLAN Tag 4 bytes, the total Packet Size becomes 1504 bytes; the Packet could be dropped or fragmented.
However, this issue doesn’t affect all websites; it only affects websites like Yahoo that create large data payload.
To resolve this issue, we should set the MSS value to 1456 at the Firewall.
Leave a Reply