This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Daniel_Kavan
MVP Gold
MVP Gold
‎2023-10-17 02:39 PM
Jump to solution

dnssec and mtu size

Packet captures show we are missing the ecdns0 header.  Has anyone had to raise their interface MTU size to accommodate for DNSSEC?   Some one is suggesting to raise it to 4500.    Has anyone had any issues with a MTU size of 4500 over copper (1GB/s) ?    Meh, it looks like 1500 bytes is the max MTU for copper.   Does R81.20 support jumbo frames with fiber?  I assume so.  Yeah, it looks like it and also if you bond interfaces together.  I'm going to close this after reading other post on jumbo frames.

https://dnsinstitute.com/documentation/dnssec-guide/ch03s05.html#:~:text=You%20can%20use%20dig%20to%...

 

 

0 Kudos
2 Solutions

Accepted Solutions
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-10-17 08:00 PM
Jump to solution

It's potentially only part of the equation depending on what your connected infrastructure and ISP line supports.

Refer also: sk92835: Large DNS packets (eDNS) are dropped by the gateway

CCSM R77/R80/ELITE

View solution in original post

G_W_Albrecht
MVP Silver
MVP Silver
‎2023-10-18 08:17 AM
In response to Daniel_Kavan
Jump to solution

See sk65264: What is Jumbo frame and MTU Maximum length:

jumbo frame MTU range is 1500-16,000

But this is depending on IF, see details in sk170533: "Failed to set MTU [XXXX] on interface" error and find the remark:

it is generally not recommended to set an MTU size of more than 9000

So 4500 should be possible if supported by the IFs used on the way to the internet. But best practice is to make MTU larger only in small steps until the issue is resolved.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

7 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-10-17 08:00 PM
Jump to solution

It's potentially only part of the equation depending on what your connected infrastructure and ISP line supports.

Refer also: sk92835: Large DNS packets (eDNS) are dropped by the gateway

CCSM R77/R80/ELITE
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-10-18 12:35 AM
In response to Chris_Atkinson
Jump to solution

As sk92835 is completely EOL - what about currently supported versions ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Daniel_Kavan
MVP Gold
MVP Gold
‎2023-10-18 07:28 AM
In response to G_W_Albrecht
Jump to solution

I'm curious if a large MTU size like 4500 would have complications with IPSEC site to site VPN tunnels as well on R81.20.

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-10-18 08:17 AM
In response to Daniel_Kavan
Jump to solution

See sk65264: What is Jumbo frame and MTU Maximum length:

jumbo frame MTU range is 1500-16,000

But this is depending on IF, see details in sk170533: "Failed to set MTU [XXXX] on interface" error and find the remark:

it is generally not recommended to set an MTU size of more than 9000

So 4500 should be possible if supported by the IFs used on the way to the internet. But best practice is to make MTU larger only in small steps until the issue is resolved.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Daniel_Kavan
MVP Gold
MVP Gold
‎2023-10-18 08:47 AM
In response to G_W_Albrecht
Jump to solution

So, you can use jumbo frames over copper, 1 Gbps or  you would need fiber?   Assuming  you set a copper interface to more that 1500, say 2500 to start then it automatically uses jumbo frame all the time and for every frame or just when needed?    Or how/where do you enable jumbo frame support?   So, leave MTU set to 1500 and enable jumbo frame support some where?

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-10-19 01:30 AM
In response to Daniel_Kavan
Jump to solution

Afaik Framesize will be changed as needed by the traffic.  If MTU is set to 1500 you have no Jumbo frames. Did you not notice the IF types and values in sk170533 ?

sk98074: MTU and Fragmentation Issues in IPsec VPN

sk167357: MTU value mismatch after removing interface from bond

MTU is mostly discussed when using e.g. Path MTU Discovery Mode for cellular connections and small-band ISP connections. Fragmentation is the other half of the game...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Daniel_Kavan
MVP Gold
MVP Gold
‎2023-10-18 07:50 AM
In response to Chris_Atkinson
Jump to solution

Thanks for the suggestion Chris, I had both of those setting in sk92835 already in check.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events