This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Antonio_Rodrigu
Participant
‎2019-10-24 09:50 AM

Path MTU Discovery

ICMP Path MTU Discovery problems in R80.20

 

The 10.50.1.80 is trying to reach the 192.169.7.86 by an Checkpoint Virtual System, but when is trying, im seeing messages from the Router (10.0.110.1) preceding the Chekpoint about ICMP fragmentation, maybe for Path MTU Discovery.

 

How can i solve this issue. We can not modify the MTU size for the aplication hosts. All the MTUs are set in 1500 bytes on all the network.

 

The trafic before arrives to the checkpoint is managed by a IPSec Tunel. 

 

Some with the same problem or behavior. 

 

 

 

Preview file
119 KB
0 Kudos
3 Replies
HeikoAnkenbrand
Champion
Champion
‎2019-10-24 10:51 AM

Hi @Antonio_Rodrigu 

read this SK:

MTU and Fragmentation Issues in IPsec VPN 

Antonio_Rodrigu
Participant
‎2019-10-24 01:26 PM
In response to HeikoAnkenbrand

I really apreciate your help, the SK you refer describes exactly the behavior, I dont know if the sim_ipsec vars apply though the behavior is after encapsulation by other equipments, and supose the traffic enter to the checkpoint clear.
0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-10-24 02:26 PM
In response to Antonio_Rodrigu

MSS clamping is a mechanism that is a cure to the issue, pMTUd is just a medicine.
The 2 mechanisms differ by solving the problem upfront (MSS clamping) or hoping to solve the issue afterwards when it occurs.

MSS clamping works by changing the actual payload of a packet from 1460 (default value) to a value that you set, it does this by changing the MSS value in the SYN and SYN-ACK packets of each session started fitting the clamping criteria (Interface/VPN).

With path MTU discovery a ICMP packet is returned when a packet hits the device that has to do fragmentation, problem here is that there are 2 things that are missing in most environments:
a rule that will allow that ICMP packet code 4 type 3 to pass
Load balancers are still unable to deliver those packets to the correct server.

MSS Clamping on Cisco routers is done by using IP tcp adjust-mss 1400 (example number) on the correct interface.
To find the right value use the small frre tool called tcpoptimizer and look for largest possible MTU which requires you to give it the correct IP of the server you try to reach.
The outcome needs to be taken down by 40 (20 IP header, 20 TCP header), so when it shows a MTU of 1436 you need to set the MSS value to 1396.
see https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/25885-pmtud-ipfrag.h...
Regards, Maarten