Create a Post
Showing results for 
Search instead for 
Did you mean: 

MTU and MSS Clamping on gateways in Azure


we have some CloudGuard gateways running in Azure and some Asian sites have issues reaching them...or the other way around.

We can ping from appliances such as 730 models to servers in the encryption domain of the vSEC gateways but not the other way around. And then suddenly it works, and then not anymore. We tried permanent tunnels but it doesn't seem to help much.

I'm starting to look at MTU and MSS Clamping issues but I wonder how you can detect the need for them.

We sometimes see drops because of  "SYN retransmit with different window scale" being logged.

Some sites are DAIP sites, some others have fixed IP but most lines seem poor quality. Should we set those variables both on the 730 models as well as on the R80.10 CloudGuard gateway in Azure?

What are your experiences here?

Thanks for feedback,

2 Replies

Re: MTU and MSS Clamping on gateways in Azure


   I've been hitting the MTU issue with AZURE VPN over the Express route and the only solution was to lower the MTU on the VPN interface to 1400 as recommended by one of the Azure tech support guys.

Setting ipsec_dont_fragment did not work, neither sim_keep_DF_flag=0 (might not be needed) and MSS clamping doesn't apply (see sk98074)

See also sk120122 - I have to try getting that hotfix.

0 Kudos

Re: MTU and MSS Clamping on gateways in Azure

The thing with MSS and MTU is that it does not make sense to lower the interface your VPN runs on as that would lower the actual MSS even further.

MSS = MTU - (40bytes IP/TCP header + IPSEC header size) 

So lowering the MTU further, it would make the MSS even lower, unless the Azure gateway does not really care about the setting of the MTU, but still lowers the MSS to 1360 thus lowering it by 100 bytes from the default value of 1460.

Regards, Maarten
0 Kudos