Support Center > Search Results > SecureKnowledge Details
Traffic sent over a VPN tunnel does not reach its destination because SecureXL does not start fragmenting the packets
Symptoms
  • Traffic sent over a VPN tunnel does not reach its destination.

  • When SecureXL is disabled, the traffic passes over the VPN tunnel correctly.

  • When SecureXL is enabled, it is not possible to download even a 2kB file.

  • When SecureXL is enabled, and the SecureXL kernel parameter 'sim_keep_DF_flag' (refer to sk92465) is manually set to 0 (in R76 and above, the default value is 1), the traffic passes over the VPN tunnel correctly. However, the Security Gateway loses the improved ability to send a ICMP "Fragmentation Needed" message to try to avoid fragmentation.
Cause

SecureXL does not start fragmenting the encrypted packets. As a result, traffic sent over the VPN tunnel is dropped.

By default, when SecureXL is enabled, and the SecureXL kernel parameter 'sim_keep_DF_flag' is set to 1 (the default value for Security Gateway versions R75.47 / R76 / R77 and above), if the packet's size exceeds MTU after encryption, the Security Gateway drops the traffic and sends an ICMP "Fragmentation Needed" message.

However, if the Host does not comply and does not lower the MTU (e.g., it never received the ICMP "Fragmentation Needed" message), then the Security Gateway will continue to drop the encrypted packets.

By default, without SecureXL, after 4 seconds, the Security Gateway stops dropping and starts fragmenting the encrypted packets.


Solution
Note: To view this solution you need to Sign In .