Johan Hillstrom

R80.10 gateway, can't set sim_clamp_vpn_mss

Discussion created by Johan Hillstrom on Nov 14, 2017
Latest reply on Nov 15, 2017 by Nicolas Daems

Hi

We recently went from R75.46 to R80.10 on a new cluster.

But now we are experiencing IPSec VPN issues, mostly with Azure VPN gw.

We have verified that this is an MTU/MSS issue by temporarily lowering MTU on one of our AD DCs in-house as well as one of the Azure AD servers. However that is not a desirable configuration in the long run.

 

After plowing through a bunch of SKs I have concluded that what we need to do is enable the sim_clamp_vpn_mss kernel parameter.

Following instructions in this SK doesn't work, even if it says that it applies to R80.10

New VPN features in R77.20 

 

So how can we enable sim_clamp_vpn_mss?

Is it as simple as using GuiDBedit?

 

Here are the relevant settings from one of the cluster gateways:

 

Edited simkern.conf and rebooted, no effect.

 

# @cat $PPKDIR/boot/modules/simkern.conf
sim_clamp_vpn_mss=1

 

# fw ctl get int fw_clamp_vpn_mss
fw_clamp_vpn_mss = 1

# fw ctl get int sim_clamp_vpn_mss
fw: Get operation failed: failed to get parameter

 

# fw ctl get int fw_clamp_tcp_mss
fw_clamp_tcp_mss = 0

 

# fw ctl get int fw_clamp_tcp_mss_control
fw: Get operation failed: failed to get parameter

# fw ctl get int mss_value
fw: Get operation failed: failed to get parameter

 

# fw ctl get int sim_ipsec_dont_fragment
fw: Get operation failed: failed to get parameter

 

# fw ctl get int sim_keep_DF_flag
fw: Get operation failed: failed to get parameter

 

Any ideas?

 

Hakan Palmryd

Outcomes