Thanks Raghu for the reply , Use case is that netflow generated by the firewall is having length of 1472 and after that traffic has to go through the IPSEC tunnel and we are thinking because of IPsec overhead it is more than 1500 so it is not reaching the destination .

Correct me if my finding is wrong do we have any other solution for that .

Use case is that netflow generated by the firewall is having length of 1472 and after that traffic has to go through the IPSEC tunnel and we are thinking because of IPsec overhead it is more than 1500 so it is not reaching the destination.

Correct me if my finding is wrong do we have any other solution for that.

Hi Nishant,  Please contact CP support and refer my name 'Raghuram Devarakonda (R&D)' so that they can contact me. I want to see the tcpdump of the packets going through IPSec tunnel.  Let me know the release details, it may be possible to give you a fix for it, if necessary.

Thanks,

Raghu

IPSEC tunnel is between the routers not on the firewall and still haven't done any troubleshooting on router side. i can try if we can engage the router team and raise the case with CP, before moving forward to router team and CP one thing i want to know is that my assumption could be right or not ? otherwise i will be going to waste all the people time.

You may be right. How about other types of packets, for example large file transfer (it will be larger size based on mtu size)? Check the mtu size of the path from CP netflow. Can you enable IP fragmentation on the router?

If possible, reduce the traffic to minimal on CP GW so that it will not have so many records. Make sure it passes through routers. 

Bottom line is  to trace the problem with smaller packet and increment it till it fails.

Is there a solution to this?

We forward NetFlow data to our Solarwinds server in our Datacentre for all our firewalls. We run DMVPN between most office so the MTU of the tunnel is 1400.

We no longer receive NetFlow data, strangely this used to work on older version but hasn't for some time, we are on 81.10 now. NetFlow data is useful to us and we would like to get this resolved.

Please open a ticket with the support and also provide tcpdump of netflow records. May be IP packet has to be fragmented but not sure how it will be handled on the receiving side including the netflow collector. I want see whether DF is set or not and also size of the packet.

I have a ticket open with Checkpoint, its been ongoing for some time now.

I was hoping someone in Checkmates may be able to point me in the right direction.

Please provide the SR in a private message, I will make sure to communicate it to @rdevarak.

If the packets don’t have the Don’t Fragment bit set, then they should go through an IPsec VPN just fine.
If they do, I believe we handle this.
For general information around this topic: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...