Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
DZ_KB
Collaborator
Jump to solution

How to enable pmtud on gaia VSX R81

Hi all,

I can't find checkpoint SK that describes how to enable path mtu discovery on gaia. May be someone have it and share it here ?

I only found how to configure mss clamping but i'm not interested about this feature because this one is only for tcp trafic and not for udp.

Thanks a lot for your reply.

Regards.

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend

Path MTU discovery is an available function of Gaia/Linux and is controlled by these /proc/sys/net/ipv4 variables:

ip_forward_use_pmtu = 0

ip_no_pmtu_disc = 0

Both of these are set to zero by default, which I interpret as the Gaia OS is not trying to perform Path MTU Discovery for either forwarded packets, or packets that terminate connections on the gateway itself (ssh sessions, Gaia web interface, etc.)  However I'm seeing conflicting documentation about that second variable, with some claiming a value of 0 means it is on, but others saying that 0 means it is off.  Generally it is a very bad idea to include a negative like "no" in a variable name, since if it is set to zero is that then a double negative, which is equivalent to a positive (therefore enabled)?  My head hurts now...

But anyway I suspect the PMTU for IPSec VPN traffic is being handled directly by the SecureXL/INSPECT code and not the Gaia OS.  Either way you need to make sure your firewall policy accepts ICMP type 3 code 4 traffic inbound from anywhere.  I don't know what will happen if you attempt to directly poke these two variables away from zero via expert mode; doing so would almost certainly not be supported and may cause other problems.  Will probably have to ask TAC.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

(1)
9 Replies
Chris_Atkinson
Employee Employee
Employee

Did you already review sk98074?

Some previous discussion on this topic here:

https://community.checkpoint.com/t5/General-Topics/Path-MTU-Discovery/td-p/65814#M13457

CCSM R77/R80/ELITE
0 Kudos
DZ_KB
Collaborator

Hi @Chris_Atkinson ,

These links seems to be for vpn ipsec. I don't have vpn ipsec.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Yes these articles highlight a common use case.

PMTUD relies upon ICMP messages that aren't reliably allowed end-to-end which hampers the process.

CCSM R77/R80/ELITE
0 Kudos
DZ_KB
Collaborator

all icmp messages are allowed on the path of my network. I only need to enable pmtud on my firewall gateway but i can't find checkpoint documentation wich explain how to.......Or may be it's enabled by default ?  

 

0 Kudos
Chris_Atkinson
Employee Employee
Employee
0 Kudos
DZ_KB
Collaborator

No

0 Kudos
Timothy_Hall
Legend Legend
Legend

Path MTU discovery is an available function of Gaia/Linux and is controlled by these /proc/sys/net/ipv4 variables:

ip_forward_use_pmtu = 0

ip_no_pmtu_disc = 0

Both of these are set to zero by default, which I interpret as the Gaia OS is not trying to perform Path MTU Discovery for either forwarded packets, or packets that terminate connections on the gateway itself (ssh sessions, Gaia web interface, etc.)  However I'm seeing conflicting documentation about that second variable, with some claiming a value of 0 means it is on, but others saying that 0 means it is off.  Generally it is a very bad idea to include a negative like "no" in a variable name, since if it is set to zero is that then a double negative, which is equivalent to a positive (therefore enabled)?  My head hurts now...

But anyway I suspect the PMTU for IPSec VPN traffic is being handled directly by the SecureXL/INSPECT code and not the Gaia OS.  Either way you need to make sure your firewall policy accepts ICMP type 3 code 4 traffic inbound from anywhere.  I don't know what will happen if you attempt to directly poke these two variables away from zero via expert mode; doing so would almost certainly not be supported and may cause other problems.  Will probably have to ask TAC.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
(1)
DZ_KB
Collaborator

I have done the test but unfortunately it does not work.

0 Kudos
DZ_KB
Collaborator

I update my last post.

I did some deep troubleshooting on the network and the firewall generates icmp on the server, but the server ignored it.

Conclusion: pmtud works fine on gaia but it can't solve my problem. I must therefore direct my research towards other solutions such as mss clamping (the problem will be for udp applications) or increase the mtu on the network.

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events