Traffic sent over a VPN tunnel does not reach its destination because SecureXL does not start fragmenting the packets
SecureXL does not start fragmenting the encrypted packets. As a result, traffic sent over the VPN tunnel is dropped.
By default, when SecureXL is enabled, and the SecureXL kernel parameter '
sim_keep_DF_flag' is set to 1 (the default value for Security Gateway versions R75.47 / R76 / R77 and above), if the packet's size exceeds MTU after encryption, the Security Gateway drops the traffic and sends an ICMP "
Fragmentation Needed" message.
However, if the Host does not comply and does not lower the MTU (e.g., it never received the ICMP "
Fragmentation Needed" message), then the Security Gateway will continue to drop the encrypted packets.
By default, without SecureXL, after 4 seconds, the Security Gateway stops dropping and starts fragmenting the encrypted packets.