Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
the_rock
Authority
Authority

Possible R81 bug with MTU change?

Hey everyone,

 

Has someone seen this issue in R81? I did this on 2 firewalls and changed mtu from 1500 to 1350 or 1400 and as soon as I did that, lost ssh and web gui. I NEVER had this issue in R77.30 and before.

 

Could this be a bug??

0 Kudos
11 Replies
PhoneBoy
Admin
Admin

Were you able to reconnect?
I wouldn’t be surprised if there was an interaction here with SecureXL.

the_rock
Authority
Authority

Hey D,

I was able to reconnect once I changed it back to 1500. Even disabling sxl does not make any difference once you change mtu to 1350 or 1400.

0 Kudos
PhoneBoy
Admin
Admin

the_rock
Authority
Authority

Maybe, not real sure, but did this many times before R80 and never ever did I have to change mss or anything else once I changed mtu size, it simply worked.

0 Kudos
Ilya_Yusupov
Employee
Employee

Hi @the_rock,

 

Can you share which type of appliance is in use and which type of interface it is?

 

Thanks,

Ilya 

0 Kudos
the_rock
Authority
Authority

I did not use physical appliance, as I dont have any on R81, this was only VM testing.

0 Kudos
Ilya_Yusupov
Employee
Employee

In my lab on VM it is working fine.

Do you see any failures/errors under /var/log/messages?

0 Kudos
the_rock
Authority
Authority

Nothing of interest in messages at all. I think we can park this issue for now, since we dont plan on upgrading any customers to R81 code on firewalls as of yet any time soon. I was just doing some tests myself for VPN tunnel with cloud provider, hence the reason why I had to change MTU size.

0 Kudos
Ilya_Yusupov
Employee
Employee

How you reduce the MTU? via clish or via ifconfig?

0 Kudos
the_rock
Authority
Authority

Hi...tried both via web UI and clish, same results.

0 Kudos
Gareth_somers
Contributor

Only really an aside but I've had issues like this related to MTU and encrypted sessions (HTTPS etc.), Generally it's where the MTU is forced but the client does not know about it and sends larger packets with the DF bit set. You can test this by lowering the MTU on the client device and see can you connect. Normally adjust-mss and path MTU discovery are required for the client to negotiate the correct MTU if you're not directly connected on the same Layer 2 subnet.

0 Kudos