- Products
- Learn
- Local User Groups
- Partners
- More
Firewall Uptime, Reimagined
How AIOps Simplifies Operations and Prevents Outages
Introduction to Lakera:
Securing the AI Frontier!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
Hi all,
I can't find checkpoint SK that describes how to enable path mtu discovery on gaia. May be someone have it and share it here ?
I only found how to configure mss clamping but i'm not interested about this feature because this one is only for tcp trafic and not for udp.
Thanks a lot for your reply.
Regards.
Path MTU discovery is an available function of Gaia/Linux and is controlled by these /proc/sys/net/ipv4 variables:
ip_forward_use_pmtu = 0
ip_no_pmtu_disc = 0
Both of these are set to zero by default, which I interpret as the Gaia OS is not trying to perform Path MTU Discovery for either forwarded packets, or packets that terminate connections on the gateway itself (ssh sessions, Gaia web interface, etc.) However I'm seeing conflicting documentation about that second variable, with some claiming a value of 0 means it is on, but others saying that 0 means it is off. Generally it is a very bad idea to include a negative like "no" in a variable name, since if it is set to zero is that then a double negative, which is equivalent to a positive (therefore enabled)? My head hurts now...
But anyway I suspect the PMTU for IPSec VPN traffic is being handled directly by the SecureXL/INSPECT code and not the Gaia OS. Either way you need to make sure your firewall policy accepts ICMP type 3 code 4 traffic inbound from anywhere. I don't know what will happen if you attempt to directly poke these two variables away from zero via expert mode; doing so would almost certainly not be supported and may cause other problems. Will probably have to ask TAC.
Did you already review sk98074?
Some previous discussion on this topic here:
https://community.checkpoint.com/t5/General-Topics/Path-MTU-Discovery/td-p/65814#M13457
Hi @Chris_Atkinson ,
These links seems to be for vpn ipsec. I don't have vpn ipsec.
Yes these articles highlight a common use case.
PMTUD relies upon ICMP messages that aren't reliably allowed end-to-end which hampers the process.
all icmp messages are allowed on the path of my network. I only need to enable pmtud on my firewall gateway but i can't find checkpoint documentation wich explain how to.......Or may be it's enabled by default ?
Do you see symptoms similar to this?
No
Path MTU discovery is an available function of Gaia/Linux and is controlled by these /proc/sys/net/ipv4 variables:
ip_forward_use_pmtu = 0
ip_no_pmtu_disc = 0
Both of these are set to zero by default, which I interpret as the Gaia OS is not trying to perform Path MTU Discovery for either forwarded packets, or packets that terminate connections on the gateway itself (ssh sessions, Gaia web interface, etc.) However I'm seeing conflicting documentation about that second variable, with some claiming a value of 0 means it is on, but others saying that 0 means it is off. Generally it is a very bad idea to include a negative like "no" in a variable name, since if it is set to zero is that then a double negative, which is equivalent to a positive (therefore enabled)? My head hurts now...
But anyway I suspect the PMTU for IPSec VPN traffic is being handled directly by the SecureXL/INSPECT code and not the Gaia OS. Either way you need to make sure your firewall policy accepts ICMP type 3 code 4 traffic inbound from anywhere. I don't know what will happen if you attempt to directly poke these two variables away from zero via expert mode; doing so would almost certainly not be supported and may cause other problems. Will probably have to ask TAC.
I have done the test but unfortunately it does not work.
I update my last post.
I did some deep troubleshooting on the network and the firewall generates icmp on the server, but the server ignored it.
Conclusion: pmtud works fine on gaia but it can't solve my problem. I must therefore direct my research towards other solutions such as mss clamping (the problem will be for udp applications) or increase the mtu on the network.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
12 | |
12 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
5 | |
5 |
Tue 07 Oct 2025 @ 10:00 AM (CEST)
Cloud Architect Series: AI-Powered API Security with CloudGuard WAFThu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Thu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY