Just to add a clarification after the proxmox case, the reassemblation of the packets is caused by the Netfilter only if the FIrewall is enabled on the cluster
I found also this, now I try if enabling conntrack (is disabled in our environment for other problem that was caused)...
Hi,
after migration of a Checkpoint VSX to VSEC Appliance on Proxmox infrastructure, seems that traffic passing through this firewall present an high latency and packet loss.
Here an example:
2021-09-20 08:58:34 --- 100 packets transmitted, 98 received, 2% packet loss, time 99027ms --- rtt...
Yesterday we've tried to reboot the system disabling the firewall, but nothing changed, on this specific VLAN (ID 2249) we're experiencing the issue.
Unfortunately we use the Jumbo MTU for some services on the VM.
The strange things is the following:
VM ---->...
Hi spirit, thanks for your feedback.
There is fragmentation because the mtu is 1500 on the firewall appliance
And even by setting it at 9000 there would be MPLS network with mtu 1500, so i have to change this behavior without any workaround
There is fragmentation because packets of RADIUS...
Hi to all,
we're experiencing a problem with firewall on a proxmox cluster and after few tests it seems it'a a linux bridge problem
The packet capture show that fragmented packets passing through the bridge are reassembled and sent out.
This is causing us some problems, even if proxmox cluster...
Solved, to avoid this without disabling the feature on the ASA or the Firewall on Proxmox it's possible to enable this feature:
nf_conntrack_allow_invalid: 1
in /etc/pve/nodes/<nodename>/host.fw
I have some news, I reduced the focus on the ASA, and to be more specific on the ASA TCP sequence randomization function.
Disabling it in this way
https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/firewall/asa-95-firewall-config/conns-connlimits.html#ID-2068-000003ec
all...
Dears,
We have the following scenario:
A Proxmox Cluster with version 6.3-3, kernel version 5.4.78-2 with 2 nodes:
On network side we're using linux bridge with vlan awareness and configuration of one node is the following:
auto lo
iface lo inet loopback
auto eno5
iface eno5 inet manual...
in an environment with Linux Bridge with VLAN aware configuration, I've created a bash script to use as HookScript as follow:
#!/bin/bash
NETID="tap$1i1"
if [[ "$2" == "post-start" ]]; then
echo "Configuring filter vlan for VM id: $1"
IFS=','
bridge vlan...
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.