topic Re: VPN & MTU - Fragmentation R81.20 in General Topics

VPN & MTU - Fragmentation R81.20

CP-NDA — Mon, 29 Apr 2024 13:41:13 GMT

Hi,

We are facing fragmentation issue on a Full Check Point topology

This setup is enabled on all Firewalls. MSS is defined to 1360 on all interfacs

echo 'fw_clamp_vpn_mss=1' >> $FWDIR/boot/modules/fwkern.conf

echo 'sim_clamp_vpn_mss=1' >> $PPKDIR/conf/simkern.conf

All TCP connections seems to be ok.

Our issue is related to RADIUS (EAP) traffic accros the tunnel. EAP needs fragementation but the negociation is dropped. if we reaplced the VPN tunnel with another vendor we are not gettng any problem so this lead to confirm that it's a Check Point issue / configuration

We tried to enable Fast_Accel to make sure nothing is dropped

I'm intending to enable this parameter as I don't know if default value is 0 or 1 in R81.20 ? Does anyboday has any experience with this ?

sim_ipsec_dont_fragment=1

Thank you

Re: VPN & MTU - Fragmentation R81.20

the_rock — Mon, 29 Apr 2024 17:21:04 GMT

I dont even see that parameter as available..

Andy

[Expert@CP-FW-01:0]# fw ctl get int sim_ipsec_dont_fragment
Get operation failed: failed to get parameter sim_ipsec_dont_fragment
get: Operation failed
Killed
[Expert@CP-FW-01:0]#

Re: VPN & MTU - Fragmentation R81.20

CP-NDA — Mon, 29 Apr 2024 17:22:41 GMT

Hi,

I found a way to check. You need to add the -a parameter as it's an SXL param

fw ctl get int sim_ipsec_dont_fragment -a

Value is set to 1 by default

Re: VPN & MTU - Fragmentation R81.20

the_rock — Mon, 29 Apr 2024 17:23:48 GMT

Ah, good catch

Yes, just verified it is 1

Andy