VPN & MTU - Fragmentation R81.20

CP-NDA · ‎2024-04-29

Hi,

We are facing fragmentation issue on a Full Check Point topology

This setup is enabled on all Firewalls. MSS is defined to 1360 on all interfacs

echo 'fw_clamp_vpn_mss=1' >> $FWDIR/boot/modules/fwkern.conf

echo 'sim_clamp_vpn_mss=1' >> $PPKDIR/conf/simkern.conf

All TCP connections seems to be ok.

Our issue is related to RADIUS (EAP) traffic accros the tunnel. EAP needs fragementation but the negociation is dropped. if we reaplced the VPN tunnel with another vendor we are not gettng any problem so this lead to confirm that it's a Check Point issue / configuration

We tried to enable Fast_Accel to make sure nothing is dropped

I'm intending to enable this parameter as I don't know if default value is 0 or 1 in R81.20 ? Does anyboday has any experience with this ?

sim_ipsec_dont_fragment=1

Thank you

the_rock · ‎2024-04-29

I dont even see that parameter as available..

Andy

[Expert@CP-FW-01:0]# fw ctl get int sim_ipsec_dont_fragment
Get operation failed: failed to get parameter sim_ipsec_dont_fragment
get: Operation failed
Killed
[Expert@CP-FW-01:0]#

CP-NDA · ‎2024-04-29

Hi,

I found a way to check. You need to add the -a parameter as it's an SXL param

fw ctl get int sim_ipsec_dont_fragment -a

Value is set to 1 by default

the_rock · ‎2024-04-29

Ah, good catch

Yes, just verified it is 1

Andy

Are you a member of CheckMates?

VPN & MTU - Fragmentation R81.20