IPsec tunnel MTU problems?

HMC · February 3

We had built a ipsec site to site VPN between 2 sonicwalls (NSA 4600) but had problems when the load gets above a certain threshold. When a certain load was reached almost no traffic was able to get through the tunnel.

Site1 <mtu 1492> ----------------------- <mtu 1444> Site2

Questions:

Could the MTU have been the problem?
What should have been the correct size?
How does the ignore don't fragment bit affect the tunnel?
However would they not negotiate the lowest mtu which should be 1444?
Would clients not automatically learn and adjust their mtu size to (lowest common mtu) something lower than 1444?

My observation:

I'm thinking 1492 would likely have been a problem. IS IPSEC header 20 bytes for sonicwalls?

Firewall WAN interface settings:

Site 1 WAN interface:

Site 2 WAN interface:

A_Elliott · February 5

Could the MTU have been the problem?
Possibly. MTU mismatch can cause all kinds of anomalies.
What should have been the correct size?
Depends on what the PMTU test returns as your WAN's MTU on each firewall
How does the ignore don't fragment bit affect the tunnel?
This shouldn't really affect your tunnel much at all.
However would they not negotiate the lowest mtu which should be 1444?
It's been a while since I dug into it, but I believe IPSEC tunnels reduce it further to 1400
Would clients not automatically learn and adjust their mtu size to (lowest common mtu) something lower than 1444?
Client device MTUs will most likely be 1500. It's the firewall's job to fragment the packets further.

When you say the load gets above a certain threshold, what do you mean exactly? CPU load? Percent of the "pipe" utilized? What do your WAN circuits on each side look like? Any QoS going on?

HMC · February 5

I meant when the traffic load gets above a certain threshold.

Hardware resources such as cpu/memory are fine.

IS it safe to use a MTU size of 1400?

How do we configure MSS on sonicwalls?

Join the Conversation

IPsec tunnel MTU problems?

Answers