Black Box ET0010A, ET1000A Reassembly Mode, Ignore DF Bit settings, Reassembly mode settings

ETEP Configuration

Ignore DF Bit

When the ETEP is configured for use in Layer 3 IP encryption policies, its default behavior is to enable DF Bit handling on the local port. This tells the ETEP to ignore the “do not fragment” (DF) bit in the IP header, and fragment outbound packets that exceed the MTU of the system. This setting should be used under the following conditions:

●Reassembly mode is set to gateway

●ICMP is blocked at the firewall

●PMTU path discovery isn’t working

A symptom of a PMTU problem is when the network operates normally when traffic passes in the clear but loses packets when encryption is turned on.

You can override the default behavior by disabling the DF Bit handling on the local port. The ETEP will then discard packets in which the DF bit is set and the packet length, including the encryption header, exceed the PMTU.

Related topic:

●“Reassembly Mode” on page 310

Reassembly Mode

The reassembly mode setting applies to packets entering the ETEP’s local port that are subject to fragmentation. This setting specifies whether packets are fragmented before or after they are encrypted and who performs the reassembly of the fragmented packet: the destination host or gateway.

The reassembly mode option is available only when the ETEP’s Encryption Policy Setting is set to Layer 3:IP. When the Encryption Policy Setting is set to Layer 2:Ethernet, packets that are subject to fragmentation are encrypted prior to fragmentation. Layer 2 jumbo packets that exceed the PMTU are discarded. The Encryption Policy Setting is configured on the Features tab.