https://community.checkpoint.com/t5/Spark-Firewall-SMB/Fragmentation-issue-on-750-Appliance-in-Checkpoint-Mobil-Client/m-p/179420#M8851 <P>Hi there,</P><P>is there a possibility to change some options concerning fragmentation and MSS-clamping on the 750 Appliance?</P><P>I see a lot of fragmented packets incoming on the Office-Mode-Clients resulting in a very bad performance for the clients. The clients use the Checkpoint Mobile Client to the 750 Appliance.</P><P>I have tried so far to set the MTU on the WAN and LAN-Interface to what I have figured out by using ping with don't fragment (1460Bytes). I also disabled the max-ping-IPS setting (1000Bytes) in the Checkpoint. I also set the MTU on client (Checkpoint Mobile) and server (behind 750 Appliance) to 1350Bytes. I also tried to trim the Windows-Server (Server2019) and Windows-Client (Windows10) to use the minimum MTU of 576 Bytes to avoid a "too big MTU). I still continuously see the fragments (TCP segment of reassembled PDU) in wireshark on the client with always a length of (MTU - 40Bytes).</P><P>Any ideas? Thank you in advance.</P><P>Daniel</P><P>&nbsp;</P> Fri, 28 Apr 2023 13:36:50 GMT dakeil 2023-04-28T13:36:50Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Fragmentation-issue-on-750-Appliance-in-Checkpoint-Mobil-Client/m-p/179420#M8851 <P>Hi there,</P><P>is there a possibility to change some options concerning fragmentation and MSS-clamping on the 750 Appliance?</P><P>I see a lot of fragmented packets incoming on the Office-Mode-Clients resulting in a very bad performance for the clients. The clients use the Checkpoint Mobile Client to the 750 Appliance.</P><P>I have tried so far to set the MTU on the WAN and LAN-Interface to what I have figured out by using ping with don't fragment (1460Bytes). I also disabled the max-ping-IPS setting (1000Bytes) in the Checkpoint. I also set the MTU on client (Checkpoint Mobile) and server (behind 750 Appliance) to 1350Bytes. I also tried to trim the Windows-Server (Server2019) and Windows-Client (Windows10) to use the minimum MTU of 576 Bytes to avoid a "too big MTU). I still continuously see the fragments (TCP segment of reassembled PDU) in wireshark on the client with always a length of (MTU - 40Bytes).</P><P>Any ideas? Thank you in advance.</P><P>Daniel</P><P>&nbsp;</P> Fri, 28 Apr 2023 13:36:50 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Fragmentation-issue-on-750-Appliance-in-Checkpoint-Mobil-Client/m-p/179420#M8851 dakeil 2023-04-28T13:36:50Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Fragmentation-issue-on-750-Appliance-in-Checkpoint-Mobil-Client/m-p/179487#M8852 <P>Some related parameters are outlined in&nbsp;sk121114.</P> Sat, 29 Apr 2023 00:46:22 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Fragmentation-issue-on-750-Appliance-in-Checkpoint-Mobil-Client/m-p/179487#M8852 Chris_Atkinson 2023-04-29T00:46:22Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Fragmentation-issue-on-750-Appliance-in-Checkpoint-Mobil-Client/m-p/179499#M8853 <P>SK Chris gave is good reference. Keep in mind, if this is locally managed appliance, you can really only change things for MTU in gui or cli, but if its centrally managed, there are some settings that could be modified for MSS in Guidbedit database tool.</P> <P>Otherwise, I would say, for locally managed, do the backup and follow the steps in the article.</P> <P>Andy</P> Sat, 29 Apr 2023 13:00:50 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Fragmentation-issue-on-750-Appliance-in-Checkpoint-Mobil-Client/m-p/179499#M8853 the_rock 2023-04-29T13:00:50Z