This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
MVP Diamond
MVP Diamond
‎2021-07-13 07:50 AM

Possible R81 bug with MTU change?

Hey everyone,

 

Has someone seen this issue in R81? I did this on 2 firewalls and changed mtu from 1500 to 1350 or 1400 and as soon as I did that, lost ssh and web gui. I NEVER had this issue in R77.30 and before.

 

Could this be a bug??

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
11 Replies
PhoneBoy
Admin
Admin
‎2021-07-13 11:43 AM

Were you able to reconnect?
I wouldn’t be surprised if there was an interaction here with SecureXL.

the_rock
MVP Diamond
MVP Diamond
‎2021-07-13 11:45 AM
In response to PhoneBoy

Hey D,

I was able to reconnect once I changed it back to 1500. Even disabling sxl does not make any difference once you change mtu to 1350 or 1400.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
PhoneBoy
Admin
Admin
‎2021-07-13 12:01 PM
In response to the_rock

Could be related to MSS which may also need to be changed.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

the_rock
MVP Diamond
MVP Diamond
‎2021-07-13 12:05 PM
In response to PhoneBoy

Maybe, not real sure, but did this many times before R80 and never ever did I have to change mss or anything else once I changed mtu size, it simply worked.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Ilya_Yusupov
Employee
Employee
‎2021-07-14 04:31 AM

Hi @the_rock,

 

Can you share which type of appliance is in use and which type of interface it is?

 

Thanks,

Ilya 

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2021-07-14 06:49 AM
In response to Ilya_Yusupov

I did not use physical appliance, as I dont have any on R81, this was only VM testing.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Ilya_Yusupov
Employee
Employee
‎2021-07-14 06:54 AM
In response to the_rock

In my lab on VM it is working fine.

Do you see any failures/errors under /var/log/messages?

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2021-07-15 06:50 AM
In response to Ilya_Yusupov

Nothing of interest in messages at all. I think we can park this issue for now, since we dont plan on upgrading any customers to R81 code on firewalls as of yet any time soon. I was just doing some tests myself for VPN tunnel with cloud provider, hence the reason why I had to change MTU size.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Ilya_Yusupov
Employee
Employee
‎2021-07-15 06:55 AM
In response to the_rock

How you reduce the MTU? via clish or via ifconfig?

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2021-07-15 07:24 AM
In response to Ilya_Yusupov

Hi...tried both via web UI and clish, same results.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Gareth_somers
Contributor
‎2021-07-14 06:31 AM

Only really an aside but I've had issues like this related to MTU and encrypted sessions (HTTPS etc.), Generally it's where the MTU is forced but the client does not know about it and sends larger packets with the DF bit set. You can test this by lowering the MTU on the client device and see can you connect. Normally adjust-mss and path MTU discovery are required for the client to negotiate the correct MTU if you're not directly connected on the same Layer 2 subnet.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events