NFS/Firewall problem

Jeremy Stoltz jstoltz at
Mon Aug 26 13:27:00 CDT 2002

I'm having some problems getting NFS to work through a netscreen 5200
firewall. I'm using Redhat 7.3 for both the client and server. I can
mount however I can't copy or create any files over a few bytes. 

Here is the messages that I am seeing in our debug:

  find matched sess
  core pak
  flow_ip_send:> => ethernet1/2
  mac 0003479601ea in session
  Send to ethernet1/2 (202)
03228.0: 9(i):0003479601ea->0010db19b589/0800

  rcv non-first-frag UDP pak
  frag session (id 39632) found.
  npak queued
  packet dropped, first session packet can not be frag

03231.0: 9(i):0003479601ea->0010db19b589/0800
    >, tlen=1500
              vhl=45, id=39632, frag=6000, ttl=64
              ports 800->2049, len=4260

Kind if cryptic I know. things to note are the session id ( 39632 for
this flow ), and the message: "packet dropped, first session packet can
not be frag"

I guess what I do not understand is why the application seems to NOT be
sending the first packet first, as opposed to sending a packet that is a
fragment. Upon seeing this packet as the first for this session, we are
seeing it as an illegal setup message and does not follow our stateful
setup rules for UDP sessions setup.

Any ideas how I can work around this?


More information about the Linux-PowerEdge mailing list