This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Help

Who rated this post

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Timothy_Hall
MVP Gold
MVP Gold
‎2023-08-09 10:43 AM

Path MTU discovery is an available function of Gaia/Linux and is controlled by these /proc/sys/net/ipv4 variables:

ip_forward_use_pmtu = 0

ip_no_pmtu_disc = 0

Both of these are set to zero by default, which I interpret as the Gaia OS is not trying to perform Path MTU Discovery for either forwarded packets, or packets that terminate connections on the gateway itself (ssh sessions, Gaia web interface, etc.)  However I'm seeing conflicting documentation about that second variable, with some claiming a value of 0 means it is on, but others saying that 0 means it is off.  Generally it is a very bad idea to include a negative like "no" in a variable name, since if it is set to zero is that then a double negative, which is equivalent to a positive (therefore enabled)?  My head hurts now...

But anyway I suspect the PMTU for IPSec VPN traffic is being handled directly by the SecureXL/INSPECT code and not the Gaia OS.  Either way you need to make sure your firewall policy accepts ICMP type 3 code 4 traffic inbound from anywhere.  I don't know what will happen if you attempt to directly poke these two variables away from zero via expert mode; doing so would almost certainly not be supported and may cause other problems.  Will probably have to ask TAC.

New Book: "Max Power 2026" Coming Soon
Check Point Firewall Performance Optimization

View solution in original post

(1)
Who rated this post