This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
carl_t
Contributor
‎2022-08-23 01:23 AM

Issues with mtu over vpn R81.10

Hi Guys

we appear to be having issues accessing some webservers using https over a vpn between 2 sites.

We have done some packet analsys and it appears to be when the https handshake is done, the servers certificate exchange packets dont appear to make it to the pc requesting the webpage.

As with most traffic these days, the DF bit is set in the packet.

When we lower the mtu on the pc or the inside interface of the firewall the issue appears to go away.

This is obviously not good practice, when we lower the mtu on the outside interface it does not work, so it must not be applying to the vpn.

Any ideas what the best thing to do for this?

cheers

Carl

Labels
0 Kudos
3 Replies
Chris_Atkinson
Employee Employee
Employee
‎2022-08-23 02:04 AM

Is the version definitely R81.20 as this still remains in EA currently.

Is MSS clamping already configured and what value did you attempt to lower the MTU to?

clamp.png

 

 

CCSM R77/R80/ELITE
0 Kudos
carl_t
Contributor
‎2022-08-23 03:03 AM
In response to Chris_Atkinson

Hi Chris

Thanks for the response, we basically lowered the mtu to 1360 on the inside interface of the firewall.

My mistake, its R81.10

I ran the below commands on the firewall, 

[Expert@TEST-FW:0]# fw ctl get int fw_clamp_tcp_mss
fw_clamp_tcp_mss = 1

With this enabled, what does the firewall clamp it to? would it be the mtu minus the ip and tcp header?

The issue I think is that the ISP has the mtu set to 1400 on there router.

Do we need to do something with the VPN mtu ?

Do I need to enable it on the global properties if it looks like its already enabled on the Gateway itself?

cheers

 

 

 

fw snip.JPG
Preview file
51 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2022-08-23 04:53 AM

What is the precise MTU set on all interfaces?
If your ISP is using 1400, that interface will for sure need to be set to that.
With the default MTU being 1500, that basically means you’ll have an issue with any packet with a DF bit set over 1400 bytes.
You will definitely need to adjust MTUs and possibly the policy configuration to allow PMTUD to do its job.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    li.common.scroll-to.top