How the Palo Alto Network Firewall Handles Packets that Exceed the MTU
Resolution
Details
If a packet larger than the configured MTU (Maximum Transmission Unit) is received, and the DF (Don't Fragment) IP option is set, the firewall returns an ICMP "frag-needed" message, notifying the sender that a smaller MTU is needed. For more information, see Scenario A in How the Palo Alto Networks Firewall Manages Fragmented Traffic
The sender's TCP/IP stack should be capable of responding with smaller packets. However, certain devices block these ICMP messages, causing the sender to resend the oversized packet.
To avoid this situation in an IPSEC VPN tunnel, change the MTU/MSS (Maximum Segment Size) on the network devices that terminate the tunnel. When a packet passes through an IPSec tunnel that terminates on a Palo Alto Networks firewall, the firewall automatically changes the MSS value for the TCP handshake to alleviate such a situation.
If a dynamic routing protocol, such as RIP or OSPF, is employed on the firewall, verify that the MTU used is not smaller than the MTU configured on the interface with the following command:
> show routing fib
total virtual-router shown : 1
-------------------------------------------------------------------------------
virtual-router name: VR1
interfaces: ethernet1/3 ethernet1/4 tunnel.1
route table:
flags: u - up, h - host, g - gateway
-------------------------------------------------------------------------------
maximum of fib entries for device: 1250
number of fib entries for device: 6
maximum of this entries for this fib: 1250
number of fib entries for this fib: 6
number of fib entries shown: 6
-------------------------------------------------------------------------------
id destination nexthop flags interface mtu
-------------------------------------------------------------------------------
4 0.0.0.0/0 10.30.14.254 ug ethernet1/3 1500
3 10.30.14.0/24 0.0.0.0 u ethernet1/3 1500
2 10.30.14.145/32 0.0.0.0 uh ethernet1/3 1500
owner: panagent