Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Antonio_Rodrigu
Participant

Path MTU Discovery

ICMP Path MTU Discovery problems in R80.20

 

The 10.50.1.80 is trying to reach the 192.169.7.86 by an Checkpoint Virtual System, but when is trying, im seeing messages from the Router (10.0.110.1) preceding the Chekpoint about ICMP fragmentation, maybe for Path MTU Discovery.

 

How can i solve this issue. We can not modify the MTU size for the aplication hosts. All the MTUs are set in 1500 bytes on all the network.

 

The trafic before arrives to the checkpoint is managed by a IPSec Tunel. 

 

Some with the same problem or behavior. 

 

 

 

0 Kudos
3 Replies
HeikoAnkenbrand
Champion Champion
Champion

Hi @Antonio_Rodrigu 

read this SK:

MTU and Fragmentation Issues in IPsec VPN 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Antonio_Rodrigu
Participant

I really apreciate your help, the SK you refer describes exactly the behavior, I dont know if the sim_ipsec vars apply though the behavior is after encapsulation by other equipments, and supose the traffic enter to the checkpoint clear.
0 Kudos
Maarten_Sjouw
Champion
Champion

MSS clamping is a mechanism that is a cure to the issue, pMTUd is just a medicine.
The 2 mechanisms differ by solving the problem upfront (MSS clamping) or hoping to solve the issue afterwards when it occurs.

MSS clamping works by changing the actual payload of a packet from 1460 (default value) to a value that you set, it does this by changing the MSS value in the SYN and SYN-ACK packets of each session started fitting the clamping criteria (Interface/VPN).

With path MTU discovery a ICMP packet is returned when a packet hits the device that has to do fragmentation, problem here is that there are 2 things that are missing in most environments:
a rule that will allow that ICMP packet code 4 type 3 to pass
Load balancers are still unable to deliver those packets to the correct server.

MSS Clamping on Cisco routers is done by using IP tcp adjust-mss 1400 (example number) on the correct interface.
To find the right value use the small frre tool called tcpoptimizer and look for largest possible MTU which requires you to give it the correct IP of the server you try to reach.
The outcome needs to be taken down by 40 (20 IP header, 20 TCP header), so when it shows a MTU of 1436 you need to set the MSS value to 1396.
see https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/25885-pmtud-ipfrag.h...
Regards, Maarten

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events