Comment 5 for bug 154271

Actually, on xenU, issuing the commands

ethtool -K eth0 tx off
ethtool -K eth0 tx on

fixes the problem too, so changing the tx offloading back to on doesn't break it again.

And the real problem here is that xenU keeps sending big packets even though it gets the fragmentation needed info. I don't have a tcpdump to copy-paste at hand right now, but for me it looked like this:

xenU > target: length 2948
firewall > xenU: ICMP fragmentatinon needed
xenU > destination: length 1480
target > xenU: ACK
xenU > target: length 2948
firewall > xenU: ICMP fragmentatinon needed

So xenU is sending too big packets over and over again, and firewall has to ask it to fragment them each time. And this hurts performance REALLY hard.