Issues requiring adjustment of the Maximum Segment Size (MSS) of TCP SYN and TCP SYN-ACK packets on Security Gateway

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk61221
Technical Level
Product	IPSec VPN, SecureXL
Version	R77.20 (EOL), R77.30 (EOL), R80.10 (EOL), R80.20 (EOL), R80.30 (EOL), R80.40, R81, R80.20SP, R80.30SP, R81.10, R81.20
OS	Gaia
Platform / Model	All
Date Created	24-Feb-2011
Last Modified	21-Dec-2022

Symptoms

Traffic is not passing through Gateway, as expected, due to MTU and/or TCP MSS issues.
Latency in traffic running via Site-to-Site VPN.
"IPSEC_mtu_icmp" kernel table is getting full by the relevant connection.
Web traffic is dropped when using a PPPoE link, cannot go to any website in a Web browser.
Kernel debug ('fw ctl debug -m fw + drop') shows:
fw_log_drop: Packet proto= ... dropped by fwchain_frag Reason: wait for more fragments; ..dropped by fwlinux_nfipout Reason: packet with IP_DF larger than MTU;

Solution

Note: To view this solution you need to Sign In .