IPsec tunnel MTU problems?

HMC

We had built a ipsec site to site VPN between 2 sonicwalls (NSA 4600) but had problems when the load gets above a certain threshold. When a certain load was reached almost no traffic was able to get through the tunnel.

Site1 <mtu 1492> ----------------------- <mtu 1444> Site2

Questions:

• Could the MTU have been the problem?
• What should have been the correct size?
• How does the ignore don't fragment bit affect the tunnel?
• However would they not negotiate the lowest mtu which should be 1444?
• Would clients not automatically learn and adjust their mtu size to (lowest common mtu) something lower than 1444? 

My observation:

I'm thinking 1492 would likely have been a problem. IS IPSEC header 20 bytes for sonicwalls?

Firewall WAN interface settings:

Site 1 WAN interface:

Site 2 WAN interface:

A_Elliott

• Could the MTU have been the problem?
• Possibly. MTU mismatch can cause all kinds of anomalies.
• 
  
• What should have been the correct size?
• Depends on what the PMTU test returns as your WAN's MTU on each firewall
• 
  
• How does the ignore don't fragment bit affect the tunnel?
• This shouldn't really affect your tunnel much at all.
• 
  
• However would they not negotiate the lowest mtu which should be 1444?
• It's been a while since I dug into it, but I believe IPSEC tunnels reduce it further to 1400
• 
  
• Would clients not automatically learn and adjust their mtu size to (lowest common mtu) something lower than 1444? 
• Client device MTUs will most likely be 1500. It's the firewall's job to fragment the packets further.

When you say the load gets above a certain threshold, what do you mean exactly? CPU load? Percent of the "pipe" utilized? What do your WAN circuits on each side look like? Any QoS going on?

HMC

I meant when the traffic load gets above a certain threshold.

Hardware resources such as cpu/memory are fine.

IS it safe to use a MTU size of 1400?

How do we configure MSS on sonicwalls?