topic How to enable pmtud on gaia VSX R81 in General Topics

How to enable pmtud on gaia VSX R81

DZ_KB — Wed, 09 Aug 2023 10:00:42 GMT

Hi all,

I can't find checkpoint SK that describes how to enable path mtu discovery on gaia. May be someone have it and share it here ?

I only found how to configure mss clamping but i'm not interested about this feature because this one is only for tcp trafic and not for udp.

Thanks a lot for your reply.

Regards.

Re: How to enable pmtud on gaia VSX R81

Chris_Atkinson — Wed, 09 Aug 2023 10:12:36 GMT

Did you already review sk98074?

Some previous discussion on this topic here:

https://community.checkpoint.com/t5/General-Topics/Path-MTU-Discovery/td-p/65814#M13457

Re: How to enable pmtud on gaia VSX R81

DZ_KB — Wed, 09 Aug 2023 10:20:07 GMT

Hi @Chris_Atkinson ,

These links seems to be for vpn ipsec. I don't have vpn ipsec.

Re: How to enable pmtud on gaia VSX R81

Chris_Atkinson — Wed, 09 Aug 2023 11:15:47 GMT

Yes these articles highlight a common use case.

PMTUD relies upon ICMP messages that aren't reliably allowed end-to-end which hampers the process.

Re: How to enable pmtud on gaia VSX R81

DZ_KB — Wed, 09 Aug 2023 11:22:49 GMT

all icmp messages are allowed on the path of my network. I only need to enable pmtud on my firewall gateway but i can't find checkpoint documentation wich explain how to.......Or may be it's enabled by default ?

Re: How to enable pmtud on gaia VSX R81

Chris_Atkinson — Wed, 09 Aug 2023 11:41:31 GMT

Do you see symptoms similar to this?

https://community.checkpoint.com/t5/General-Topics/Fragment-Reassembly-Time-Exceeded-Errors/m-p/77289#M15726

Re: How to enable pmtud on gaia VSX R81

DZ_KB — Wed, 09 Aug 2023 12:08:20 GMT

Re: How to enable pmtud on gaia VSX R81

Timothy_Hall — Wed, 09 Aug 2023 17:43:31 GMT

Path MTU discovery is an available function of Gaia/Linux and is controlled by these /proc/sys/net/ipv4 variables:

ip_forward_use_pmtu = 0

ip_no_pmtu_disc = 0

Both of these are set to zero by default, which I interpret as the Gaia OS is not trying to perform Path MTU Discovery for either forwarded packets, or packets that terminate connections on the gateway itself (ssh sessions, Gaia web interface, etc.) However I'm seeing conflicting documentation about that second variable, with some claiming a value of 0 means it is on, but others saying that 0 means it is off. Generally it is a very bad idea to include a negative like "no" in a variable name, since if it is set to zero is that then a double negative, which is equivalent to a positive (therefore enabled)? My head hurts now...

But anyway I suspect the PMTU for IPSec VPN traffic is being handled directly by the SecureXL/INSPECT code and not the Gaia OS. Either way you need to make sure your firewall policy accepts ICMP type 3 code 4 traffic inbound from anywhere. I don't know what will happen if you attempt to directly poke these two variables away from zero via expert mode; doing so would almost certainly not be supported and may cause other problems. Will probably have to ask TAC.

Re: How to enable pmtud on gaia VSX R81

DZ_KB — Sat, 19 Aug 2023 17:58:15 GMT

I have done the test but unfortunately it does not work.

Re: How to enable pmtud on gaia VSX R81

DZ_KB — Sat, 19 Aug 2023 18:13:10 GMT

I update my last post.

I did some deep troubleshooting on the network and the firewall generates icmp on the server, but the server ignored it.

Conclusion: pmtud works fine on gaia but it can't solve my problem. I must therefore direct my research towards other solutions such as mss clamping (the problem will be for udp applications) or increase the mtu on the network.