https://community.checkpoint.com/t5/Firewall-and-Security-Management/Issues-with-mtu-over-vpn-R81-10/m-p/155499#M26499 <P>Hi Chris</P><P>Thanks for the response, we basically lowered the mtu to 1360 on the inside interface of the firewall.</P><P>My mistake, its R81.10</P><P>I ran the below commands on the firewall,&nbsp;</P><P>[Expert@TEST-FW:0]# fw ctl get int fw_clamp_tcp_mss<BR />fw_clamp_tcp_mss = 1</P><P>With this enabled, what does the firewall clamp it to? would it be the mtu minus the ip and tcp header?</P><P>The issue I think is that the ISP has the mtu set to 1400 on there router.</P><P>Do we need to do something with the VPN mtu ?</P><P>Do I need to enable it on the global properties if it looks like its already enabled on the Gateway itself?</P><P>cheers</P><P>&nbsp;</P><DIV class="">&nbsp;</DIV><P>&nbsp;</P> Tue, 23 Aug 2022 10:03:42 GMT carl_t 2022-08-23T10:03:42Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Issues-with-mtu-over-vpn-R81-10/m-p/155489#M26497 <P>Hi Guys</P> <P>we appear to be having issues accessing some webservers using https over a vpn between 2 sites.</P> <P>We have done some packet analsys and it appears to be when the https handshake is done, the servers certificate exchange packets dont appear to make it to the pc requesting the webpage.</P> <P>As with most traffic these days, the DF bit is set in the packet.</P> <P>When we lower the mtu on the pc or the inside interface of the firewall the issue appears to go away.</P> <P>This is obviously not good practice, when we lower the mtu on the outside interface it does not work, so it must not be applying to the vpn.</P> <P>Any ideas what the best thing to do for this?</P> <P>cheers</P> <P>Carl</P> Tue, 23 Aug 2022 11:56:17 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Issues-with-mtu-over-vpn-R81-10/m-p/155489#M26497 carl_t 2022-08-23T11:56:17Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Issues-with-mtu-over-vpn-R81-10/m-p/155496#M26498 <P>Is the version definitely R81.20 as this still remains in EA currently.</P> <P>Is MSS clamping already configured and what value did you attempt to lower the MTU to?</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="clamp.png" style="width: 823px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/17504i0B76E3997B835899/image-size/large?v=v2&amp;px=999" role="button" title="clamp.png" alt="clamp.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 23 Aug 2022 09:31:50 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Issues-with-mtu-over-vpn-R81-10/m-p/155496#M26498 Chris_Atkinson 2022-08-23T09:31:50Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Issues-with-mtu-over-vpn-R81-10/m-p/155499#M26499 <P>Hi Chris</P><P>Thanks for the response, we basically lowered the mtu to 1360 on the inside interface of the firewall.</P><P>My mistake, its R81.10</P><P>I ran the below commands on the firewall,&nbsp;</P><P>[Expert@TEST-FW:0]# fw ctl get int fw_clamp_tcp_mss<BR />fw_clamp_tcp_mss = 1</P><P>With this enabled, what does the firewall clamp it to? would it be the mtu minus the ip and tcp header?</P><P>The issue I think is that the ISP has the mtu set to 1400 on there router.</P><P>Do we need to do something with the VPN mtu ?</P><P>Do I need to enable it on the global properties if it looks like its already enabled on the Gateway itself?</P><P>cheers</P><P>&nbsp;</P><DIV class="">&nbsp;</DIV><P>&nbsp;</P> Tue, 23 Aug 2022 10:03:42 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Issues-with-mtu-over-vpn-R81-10/m-p/155499#M26499 carl_t 2022-08-23T10:03:42Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Issues-with-mtu-over-vpn-R81-10/m-p/155514#M26504 <P>What is the precise MTU set on all interfaces?<BR />If your ISP is using 1400, that interface will for sure need to be set to that.<BR />With the default MTU being 1500, that basically means you’ll have an issue with any packet with a DF bit set over 1400 bytes.<BR />You will definitely need to adjust MTUs and possibly the policy configuration to allow PMTUD to do its job.<BR />See:&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk98074&amp;partition=Advanced&amp;product=IPSec" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk98074&amp;partition=Advanced&amp;product=IPSec</A></P> Tue, 23 Aug 2022 11:53:49 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Issues-with-mtu-over-vpn-R81-10/m-p/155514#M26504 PhoneBoy 2022-08-23T11:53:49Z