Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Collaborator

Understanding MSS Clamping

I am having a hard time fully understanding what MSS Clamping actually does on a firewall.  

The issue that prompted this post is latency over a site to site IPSec VPN.

I have read through sk61221 - Issues requiring adjustment of the Maximum Segment Size (MSS) of TCP SYN and TCP SYN-ACK packets on Security Gateway.

From what I understand is when a host with a MTU set to 1500 sends traffic to a security gateway that needs to traverse a VPN, the 1500 MTU is too large as overhead needs to be added for ESP and the security gateway needs to fragment the packets to send over the VPN and this uses more processing power and time to fragment and then reassemble at the remote end.

When MSS Clamping is implemented per sk61221 what does that actually affect?  Does the security gateway send information back to the sending host letting it know it can only send frames with a smaller MTU to whatever I set it to on the security gateway?

What interface on the security gateway should I perform this on, inside, or the public internet interface where my VPN terminates?

 

Thank you.

0 Kudos
Reply
1 Reply
Highlighted
Contributor

Hello Mike,

I would recommend additional SK's related to MSS clamping

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

So it all depends on your scenario when it comes to decision where to do MSS clamping or where to adjust the MTU. For example, in Azure the MTU on the interface is 1500 but Azure Network stack fragments packets by default at 1400 bytes. As they don't recommend changing the "physical interface" MTU, what I did is basically set the MTU of the VTI interface to 1400 and adjusted the MSS clamping on the VTI interfaces to 1350. This avoided the problems related to fragmentation.

In certain scenarios you need to adjust the MTU on the physical interface (depending on the ISP setup), but in most cases the MSS clamping is applied on the VTI interfaces (if they are being used). Also there are some kernel parameters that are used and configured by default (read the articles mentioned above):

fw ctl get int sim_clamp_vpn_mss -a
fw ctl get int fw_clamp_vpn_mss -a
fw ctl get int sim_ipsec_dont_fragment -a

If you have a careful look there is a formula how the MSS is being calculated 

TCP MSS value = [ MTU value on interface - IP Header Length - TCP Header Length ]. If you need a different value then you need to do it manually in GuiDBEdit.

But also you need to be aware on some things, the adjustment for MSS can be done individually for an interface, or for IPSEC traffic only (again read on the links provided above).

In essence, it depends on the scenario where you need to apply the MTU change and where to apply the MSS value. The MSS value is set on individual gateway nodes and on the cluster gateway in GuiDBEdit (and also ensure that you apply them on the right interfaces).

Hope this helps.

Predrag

0 Kudos
Reply