Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

IPsec tunnel MTU problems?

HMCHMC Newbie ✭
edited February 3 in Mid Range Firewalls

We had built a ipsec site to site VPN between 2 sonicwalls (NSA 4600) but had problems when the load gets above a certain threshold. When a certain load was reached almost no traffic was able to get through the tunnel.

Site1 <mtu 1492> ----------------------- <mtu 1444> Site2


Questions:

  • Could the MTU have been the problem?
  • What should have been the correct size?
  • How does the ignore don't fragment bit affect the tunnel?
  • However would they not negotiate the lowest mtu which should be 1444?
  • Would clients not automatically learn and adjust their mtu size to (lowest common mtu) something lower than 1444? 


My observation:

I'm thinking 1492 would likely have been a problem. IS IPSEC header 20 bytes for sonicwalls?



Firewall WAN interface settings:

Site 1 WAN interface:


Site 2 WAN interface:


Category: Mid Range Firewalls
Reply

Answers

  • A_ElliottA_Elliott Enthusiast ✭✭
    • Could the MTU have been the problem?
    • Possibly. MTU mismatch can cause all kinds of anomalies.

    • What should have been the correct size?
    • Depends on what the PMTU test returns as your WAN's MTU on each firewall

    • How does the ignore don't fragment bit affect the tunnel?
    • This shouldn't really affect your tunnel much at all.

    • However would they not negotiate the lowest mtu which should be 1444?
    • It's been a while since I dug into it, but I believe IPSEC tunnels reduce it further to 1400

    • Would clients not automatically learn and adjust their mtu size to (lowest common mtu) something lower than 1444? 
    • Client device MTUs will most likely be 1500. It's the firewall's job to fragment the packets further.

    When you say the load gets above a certain threshold, what do you mean exactly? CPU load? Percent of the "pipe" utilized? What do your WAN circuits on each side look like? Any QoS going on?

  • HMCHMC Newbie ✭
    edited February 5

    I meant when the traffic load gets above a certain threshold.


    Hardware resources such as cpu/memory are fine.


    IS it safe to use a MTU size of 1400?

    How do we configure MSS on sonicwalls?

Sign In or Register to comment.