Create a Post
Showing results for 
Search instead for 
Did you mean: 

Issues with mtu over vpn R81.10

Hi Guys

we appear to be having issues accessing some webservers using https over a vpn between 2 sites.

We have done some packet analsys and it appears to be when the https handshake is done, the servers certificate exchange packets dont appear to make it to the pc requesting the webpage.

As with most traffic these days, the DF bit is set in the packet.

When we lower the mtu on the pc or the inside interface of the firewall the issue appears to go away.

This is obviously not good practice, when we lower the mtu on the outside interface it does not work, so it must not be applying to the vpn.

Any ideas what the best thing to do for this?



0 Kudos
3 Replies

Is the version definitely R81.20 as this still remains in EA currently.

Is MSS clamping already configured and what value did you attempt to lower the MTU to?




0 Kudos

Hi Chris

Thanks for the response, we basically lowered the mtu to 1360 on the inside interface of the firewall.

My mistake, its R81.10

I ran the below commands on the firewall, 

[Expert@TEST-FW:0]# fw ctl get int fw_clamp_tcp_mss
fw_clamp_tcp_mss = 1

With this enabled, what does the firewall clamp it to? would it be the mtu minus the ip and tcp header?

The issue I think is that the ISP has the mtu set to 1400 on there router.

Do we need to do something with the VPN mtu ?

Do I need to enable it on the global properties if it looks like its already enabled on the Gateway itself?





0 Kudos

What is the precise MTU set on all interfaces?
If your ISP is using 1400, that interface will for sure need to be set to that.
With the default MTU being 1500, that basically means you’ll have an issue with any packet with a DF bit set over 1400 bytes.
You will definitely need to adjust MTUs and possibly the policy configuration to allow PMTUD to do its job.

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events