- CheckMates
- :
- Products
- :
- General Topics
- :
- Possible R81 bug with MTU change?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Possible R81 bug with MTU change?
Hey everyone,
Has someone seen this issue in R81? I did this on 2 firewalls and changed mtu from 1500 to 1350 or 1400 and as soon as I did that, lost ssh and web gui. I NEVER had this issue in R77.30 and before.
Could this be a bug??
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Were you able to reconnect?
I wouldn’t be surprised if there was an interaction here with SecureXL.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey D,
I was able to reconnect once I changed it back to 1500. Even disabling sxl does not make any difference once you change mtu to 1350 or 1400.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could be related to MSS which may also need to be changed.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe, not real sure, but did this many times before R80 and never ever did I have to change mss or anything else once I changed mtu size, it simply worked.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @the_rock,
Can you share which type of appliance is in use and which type of interface it is?
Thanks,
Ilya
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did not use physical appliance, as I dont have any on R81, this was only VM testing.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In my lab on VM it is working fine.
Do you see any failures/errors under /var/log/messages?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nothing of interest in messages at all. I think we can park this issue for now, since we dont plan on upgrading any customers to R81 code on firewalls as of yet any time soon. I was just doing some tests myself for VPN tunnel with cloud provider, hence the reason why I had to change MTU size.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How you reduce the MTU? via clish or via ifconfig?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi...tried both via web UI and clish, same results.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Only really an aside but I've had issues like this related to MTU and encrypted sessions (HTTPS etc.), Generally it's where the MTU is forced but the client does not know about it and sends larger packets with the DF bit set. You can test this by lowering the MTU on the client device and see can you connect. Normally adjust-mss and path MTU discovery are required for the client to negotiate the correct MTU if you're not directly connected on the same Layer 2 subnet.
