Discussion in 'Cisco' started by Joel Salminen, Jan 20, 2006.

  1. Anyone else notice a massive TTL deduction when packets pass through a
    ISAKMP-IPSEC tunnel. I happen to notice this today monitoring the latency of
    hosts through a VPN tunnel. When I ping the inside interface I get a 253 -
    252 TTL but just one hop further the TTL is 126. This seems indicative of a
    routing loop. Any thoughts?

    Joel Salminen, Jan 20, 2006
    1. Advertisements

  2. You did not mention any platform, but as I just happened to answer
    a PIX 501 question for you, I will assume PIX.

    PIX 6.x is not exactly a proxy: it does not actually pass packets through
    from one side to another. Instead, PIX 6.x receives the packets
    and builds a -new- packet to the destination. That new packet happens
    to have a different starting TTL.

    Building new packets is important for security reasons, to scrub
    malformed packets and to hide unusual flag combinations that might
    be exploitable or might be usable to detect operating systems in
    use and so on. Secondly, building new packets is required in order
    to be able to inspect protocols, since one does not want an attacker
    to be able to escape detection merely by artificially breaking
    key information at packet boundaries. Thirdly, building new packets
    can help deal with MTU differences -- especially since VPN tunnels
    have a smaller effective MTU (because of the VPN overhead.)
    Walter Roberson, Jan 20, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.