This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
DZ_KB
Collaborator
‎2023-08-09 02:58 AM
Jump to solution

How to enable pmtud on gaia VSX R81

Hi all,

I can't find checkpoint SK that describes how to enable path mtu discovery on gaia. May be someone have it and share it here ?

I only found how to configure mss clamping but i'm not interested about this feature because this one is only for tcp trafic and not for udp.

Thanks a lot for your reply.

Regards.

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
‎2023-08-09 10:43 AM
Jump to solution

Path MTU discovery is an available function of Gaia/Linux and is controlled by these /proc/sys/net/ipv4 variables:

ip_forward_use_pmtu = 0

ip_no_pmtu_disc = 0

Both of these are set to zero by default, which I interpret as the Gaia OS is not trying to perform Path MTU Discovery for either forwarded packets, or packets that terminate connections on the gateway itself (ssh sessions, Gaia web interface, etc.)  However I'm seeing conflicting documentation about that second variable, with some claiming a value of 0 means it is on, but others saying that 0 means it is off.  Generally it is a very bad idea to include a negative like "no" in a variable name, since if it is set to zero is that then a double negative, which is equivalent to a positive (therefore enabled)?  My head hurts now...

But anyway I suspect the PMTU for IPSec VPN traffic is being handled directly by the SecureXL/INSPECT code and not the Gaia OS.  Either way you need to make sure your firewall policy accepts ICMP type 3 code 4 traffic inbound from anywhere.  I don't know what will happen if you attempt to directly poke these two variables away from zero via expert mode; doing so would almost certainly not be supported and may cause other problems.  Will probably have to ask TAC.

Attend my 60-minute "Be your Own TAC: Part Deux" Presentation
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm

View solution in original post

9 Replies
Chris_Atkinson
Employee Employee
Employee
‎2023-08-09 03:12 AM
Jump to solution

Did you already review sk98074?

Some previous discussion on this topic here:

https://community.checkpoint.com/t5/General-Topics/Path-MTU-Discovery/td-p/65814#M13457

CCSM R77/R80/ELITE
0 Kudos
DZ_KB
Collaborator
‎2023-08-09 03:20 AM
In response to Chris_Atkinson
Jump to solution

Hi @Chris_Atkinson ,

These links seems to be for vpn ipsec. I don't have vpn ipsec.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-08-09 04:15 AM
In response to DZ_KB
Jump to solution

Yes these articles highlight a common use case.

PMTUD relies upon ICMP messages that aren't reliably allowed end-to-end which hampers the process.

CCSM R77/R80/ELITE
0 Kudos
DZ_KB
Collaborator
‎2023-08-09 04:21 AM
In response to Chris_Atkinson
Jump to solution

all icmp messages are allowed on the path of my network. I only need to enable pmtud on my firewall gateway but i can't find checkpoint documentation wich explain how to.......Or may be it's enabled by default ?  

 

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2023-08-09 10:43 AM
Jump to solution

Path MTU discovery is an available function of Gaia/Linux and is controlled by these /proc/sys/net/ipv4 variables:

ip_forward_use_pmtu = 0

ip_no_pmtu_disc = 0

Both of these are set to zero by default, which I interpret as the Gaia OS is not trying to perform Path MTU Discovery for either forwarded packets, or packets that terminate connections on the gateway itself (ssh sessions, Gaia web interface, etc.)  However I'm seeing conflicting documentation about that second variable, with some claiming a value of 0 means it is on, but others saying that 0 means it is off.  Generally it is a very bad idea to include a negative like "no" in a variable name, since if it is set to zero is that then a double negative, which is equivalent to a positive (therefore enabled)?  My head hurts now...

But anyway I suspect the PMTU for IPSec VPN traffic is being handled directly by the SecureXL/INSPECT code and not the Gaia OS.  Either way you need to make sure your firewall policy accepts ICMP type 3 code 4 traffic inbound from anywhere.  I don't know what will happen if you attempt to directly poke these two variables away from zero via expert mode; doing so would almost certainly not be supported and may cause other problems.  Will probably have to ask TAC.

Attend my 60-minute "Be your Own TAC: Part Deux" Presentation
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm
DZ_KB
Collaborator
‎2023-08-14 09:21 AM
In response to Timothy_Hall
Jump to solution

I have done the test but unfortunately it does not work.

0 Kudos
DZ_KB
Collaborator
‎2023-08-19 11:13 AM
In response to DZ_KB
Jump to solution

I update my last post.

I did some deep troubleshooting on the network and the firewall generates icmp on the server, but the server ignored it.

Conclusion: pmtud works fine on gaia but it can't solve my problem. I must therefore direct my research towards other solutions such as mss clamping (the problem will be for udp applications) or increase the mtu on the network.

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    li.common.scroll-to.top