https://community.checkpoint.com/t5/Firewall-and-Security-Management/Remote-access-VPN-WSL2-packet-fragmentation/m-p/101095#M10154 <P>Hello guys,</P><P>we are facing an issue with remote access VPN and WSL2. The problem is in packet fragmentation. When a TCP packet is originated directly from the windows system it has the correct Maximum segment size value (1310). But when the packet is originated from WLS2 it has MSS 1460. The packet fragmentation does not work and for example, TSL session will fail.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="obrazek.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/8764i3F1F40B1D674A3DC/image-size/large?v=v2&amp;px=999" role="button" title="obrazek.png" alt="obrazek.png" /></span></P><P>&nbsp;</P><P>We are fixing it with this workaround script in WSL.</P><P>#/bin/bash<BR />ADVMSS=1310</P><P>DEFAULT_ROUTE=$(ip route | grep "default")<BR />ip route del $DEFAULT_ROUTE<BR />ip route add $DEFAULT_ROUTE advmss $ADVMSS<BR />:<BR />if ip route | grep -q "advmss $ADVMSS"; then<BR />echo "MSS is ok"<BR />else<BR />echo "MSS is not ok"<BR />fi</P><P><BR />Is anyone having the same issue? What is your solution?</P><P>&nbsp;</P> Wed, 04 Nov 2020 10:11:25 GMT Honza 2020-11-04T10:11:25Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Remote-access-VPN-WSL2-packet-fragmentation/m-p/101095#M10154 <P>Hello guys,</P><P>we are facing an issue with remote access VPN and WSL2. The problem is in packet fragmentation. When a TCP packet is originated directly from the windows system it has the correct Maximum segment size value (1310). But when the packet is originated from WLS2 it has MSS 1460. The packet fragmentation does not work and for example, TSL session will fail.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="obrazek.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/8764i3F1F40B1D674A3DC/image-size/large?v=v2&amp;px=999" role="button" title="obrazek.png" alt="obrazek.png" /></span></P><P>&nbsp;</P><P>We are fixing it with this workaround script in WSL.</P><P>#/bin/bash<BR />ADVMSS=1310</P><P>DEFAULT_ROUTE=$(ip route | grep "default")<BR />ip route del $DEFAULT_ROUTE<BR />ip route add $DEFAULT_ROUTE advmss $ADVMSS<BR />:<BR />if ip route | grep -q "advmss $ADVMSS"; then<BR />echo "MSS is ok"<BR />else<BR />echo "MSS is not ok"<BR />fi</P><P><BR />Is anyone having the same issue? What is your solution?</P><P>&nbsp;</P> Wed, 04 Nov 2020 10:11:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Remote-access-VPN-WSL2-packet-fragmentation/m-p/101095#M10154 Honza 2020-11-04T10:11:25Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Remote-access-VPN-WSL2-packet-fragmentation/m-p/101113#M10155 <P>Encrypted packets can hold less data because of the encryption, hence MTU of the packets sent to VPN tunnel should be reduced, to avoid fragmenting. You can find more details in&nbsp;<SPAN>sk98074. IT is for S2S, but should be relevant for RAS as well, as far as i know.<BR /><BR />Limiting MTU on a network side is a solid approach</SPAN></P> Wed, 04 Nov 2020 12:11:59 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Remote-access-VPN-WSL2-packet-fragmentation/m-p/101113#M10155 _Val_ 2020-11-04T12:11:59Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Remote-access-VPN-WSL2-packet-fragmentation/m-p/101235#M10156 <P>I see. But I would expect the vpn client to mangle the TCP MSS value to correct value.</P> Thu, 05 Nov 2020 15:42:39 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Remote-access-VPN-WSL2-packet-fragmentation/m-p/101235#M10156 Honza 2020-11-05T15:42:39Z