The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
|
MSS value is not applied to IPsec VPN traffic, although MSS Adjustment (Clamping) for IPsec VPN traffic is enabled
|
Technical Level
|
| Solution ID |
sk112094 |
| Technical Level |
|
| Product |
IPSec VPN |
| Version |
R77.20 (EOL), R77.30 (EOL) |
| Platform / Model |
All |
| Date Created |
22-Jun-2016
|
| Last Modified |
06-Apr-2018
|
Symptoms
The MSS value that was defined via GuiDBedit Tool (mss_value) on external interface on specific Security Gateway is not applied to IPsec VPN traffic, although MSS Adjustment (Clamping) for IPsec VPN traffic is enabled (values of kernel parameters fw_clamp_vpn_mss and sim_clamp_vpn_mss are set to 1 (one) per sk101219 - New VPN features in R77.20).
Setting the value of kernel parameter fw_clamp_tcp_mss_control to true via GuiDBedit Tool applies the MSS value to IPsec VPN traffic. However, it also applies the same MSS value to clear-text TCP traffic, which is undesired.
Output of kernel debug ('fw ctl debug -m fw + vm') during the issue shows for IPsec VPN traffic:
;fw_adjust_mss_ex: entering with mtu 1500 and mss 0
Examples from kernel debug for MSS value of 1200
('fw ctl debug -m fw + vm' and 'fw ctl debug -m VPN + packet'):
Parameters and their values:
mss_value=1200
fw_clamp_vpn_mss=1
sim_clamp_vpn_mss=1
fw_clamp_tcp_mss_control=0
Debug:
;fw_filter_chain: Clamping MSS with interface value;
;fw_adjust_mss_ex: entering with mtu 1500 and mss 0 ;
;vpnk_mtu_4_mss: orig mtu = 1500, dir = 0, conn = 6;
... ...
;vpnk_mtu_4_mss: new mtu is 1426;
;fw_filter_chain: Clamping MSS with vpn clamping value;
;fw_adjust_mss_ex: entering with mtu 1426 and mss 0 ;
;fw_adjust_mss_ex: Overriding mss with stripped mtu: 1386;
;fw_adjust_mss_ex: reducing MSS on packet from 1460 to 1386;
;fw_filter_chain: Final switch, action=ACCEPT;
;After VM: <dir 0, ... IPP 6> ...;
;VM Final action=ACCEPT;
-
Parameters and their values:
mss_value=1200
fw_clamp_vpn_mss=1
sim_clamp_vpn_mss=1
fw_clamp_tcp_mss_control=1
Debug:
;fw_filter_chain: Clamping MSS with interface value;
;fw_adjust_mss_ex: entering with mtu 1500 and mss 1200 ;
;vpnk_mtu_4_mss: orig mtu = 1460, dir = 0, conn = 6;
... ...
;vpnk_mtu_4_mss: new mtu is 1386;
;fw_adjust_mss_ex: VPN mtu adjust: New mtu 1386;
;fw_adjust_mss_ex: reducing MSS on packet from 1460 to 1200;
;fw_filter_chain: Final switch, action=ACCEPT;
;After VM: <dir 0, ... IPP 6> ...;
;VM Final action=ACCEPT;
Cause
MSS value is not applied if only MSS Adjustment (Clamping) for IPsec VPN traffic is enabled (fw_clamp_vpn_mss and sim_clamp_vpn_mss) without enabling MSS Adjustment (Clamping) for FireWall traffic (fw_clamp_tcp_mss per sk61221).
Solution
|
Note: To view this solution you need to
Sign In
.
|
