Support Center > Search Results > SecureKnowledge Details
Slow Site-to-Site VPN affected by Virtual Defragmentation Technical Level
Symptoms
  • "Virtual defragmentation error: Timeout" logs when working over Site-to-Site VPN with a Web Server behind one of the VPN Security Gateways.

  • Latency when working over Site-to-Site VPN with an Application Server (e.g., SAP).

  • Kernel debug (fw ctl debug -m fw + drop) shows:
    fw_log_drop: Packet proto= ... dropped by fwchain_frag Reason: wait for more fragments;
Cause

The Security Gateway received a packet that is at the maximum MTU size, or near it.

In order to send this packet through a VPN tunnel, the packet needs to be encrypted and encapsulated inside another packet. The new packet size will be larger than the MTU, which will require fragmenting this packet. The result is a decrease in performance.


Solution
Note: To view this solution you need to Sign In .