https://live.paloaltonetworks.com/t5/advanced-sd-wan-for-ngfw/pan-308564-known-issue/m-p/1253658#M62 <P>I could not help notice that all of the latest and preferred 11.1.x, 11.2.x and even 12.1.x all have the following known issue.</P> <P>&nbsp;</P> <TABLE class="table colsep rowsep table-striped"> <TBODY class="tbody"> <TR class="row"> <TD class="entry"> <DIV class="p"><STRONG class="ph b">PAN-308564</STRONG></DIV> </TD> <TD class="entry relcol"> <DIV class="p">Packets are dropped on SD-WAN interfaces if they require fragmentation for an interface but have the<SPAN>&nbsp;</SPAN><SPAN class="ph uicontrol">Don't Fragment (DF)</SPAN><SPAN>&nbsp;</SPAN>bit set. This results in unexpected packet drops. This affects client to server sessions when using SD-WAN for NGFW.</DIV> <DIV class="p"><STRONG class="ph b">Workaround:</STRONG><SPAN>&nbsp;</SPAN>Allow fragmenting packets with DF bit set (<SPAN class="ph userinput">debug dataplane set ip4-ignore-df yes</SPAN>).</DIV> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>What I am curious about is because this sounds like expected IP behavior. When a DF bit is set and the packet exceeds the MTU, it gets dropped.</P> <P><A href="https://datatracker.ietf.org/doc/html/rfc8900" target="_blank" rel="noopener">RFC 8900 - IP Fragmentation Considered Fragile</A></P> <P>&nbsp;</P> <P>The only thing if this is an issue is in cases where PMTU (ICMP Type 3, Code 4) is being black holed.</P> <P>&nbsp;</P> <P>Given this KB:&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004ONDCA2" target="_blank" rel="noopener">Effects Of Interface MTU on SDWAN VIF - Knowledge Base - Palo Alto Networks</A></P> <P>I find that all my IPSec tunnel based SDWAN VIFs have a MTU of 1432, as expected.</P> <P data-unlink="true">RFC8900 describes a scenario that may be relevent to SDWAN path logic. (Section&nbsp;3.2. Policy-Based Routing)</P> <P>&nbsp;</P> <P>So I tested it.&nbsp; I had one path with a underlay MTU of 1500 and another path with a MTU at 1432.</P> <P>The SDWAN VIF properly showed a MTU of 1432. (Expected as per the KB above)</P> <P>As the bug report described above, I experienced a flurry of dropped packets due to fragmentation in my tests.</P> <P>&nbsp;</P> <P>After placing a MSS clamp (adjustment of 109) and the problem of drops went away.</P> <P>&nbsp;</P> <P>This lead me to hypothesis that the issue with&nbsp;<STRONG class="ph b">PAN-308564</STRONG>&nbsp;may be that the SDWAN VIF may be black holing PMTUD.</P> <P>&nbsp;</P> <P>No quesiton here, just sharing my recent observations.</P> Fri, 08 May 2026 01:12:35 GMT JosephBedard 2026-05-08T01:12:35Z https://live.paloaltonetworks.com/t5/advanced-sd-wan-for-ngfw/pan-308564-known-issue/m-p/1253658#M62 <P>I could not help notice that all of the latest and preferred 11.1.x, 11.2.x and even 12.1.x all have the following known issue.</P> <P>&nbsp;</P> <TABLE class="table colsep rowsep table-striped"> <TBODY class="tbody"> <TR class="row"> <TD class="entry"> <DIV class="p"><STRONG class="ph b">PAN-308564</STRONG></DIV> </TD> <TD class="entry relcol"> <DIV class="p">Packets are dropped on SD-WAN interfaces if they require fragmentation for an interface but have the<SPAN>&nbsp;</SPAN><SPAN class="ph uicontrol">Don't Fragment (DF)</SPAN><SPAN>&nbsp;</SPAN>bit set. This results in unexpected packet drops. This affects client to server sessions when using SD-WAN for NGFW.</DIV> <DIV class="p"><STRONG class="ph b">Workaround:</STRONG><SPAN>&nbsp;</SPAN>Allow fragmenting packets with DF bit set (<SPAN class="ph userinput">debug dataplane set ip4-ignore-df yes</SPAN>).</DIV> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>What I am curious about is because this sounds like expected IP behavior. When a DF bit is set and the packet exceeds the MTU, it gets dropped.</P> <P><A href="https://datatracker.ietf.org/doc/html/rfc8900" target="_blank" rel="noopener">RFC 8900 - IP Fragmentation Considered Fragile</A></P> <P>&nbsp;</P> <P>The only thing if this is an issue is in cases where PMTU (ICMP Type 3, Code 4) is being black holed.</P> <P>&nbsp;</P> <P>Given this KB:&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004ONDCA2" target="_blank" rel="noopener">Effects Of Interface MTU on SDWAN VIF - Knowledge Base - Palo Alto Networks</A></P> <P>I find that all my IPSec tunnel based SDWAN VIFs have a MTU of 1432, as expected.</P> <P data-unlink="true">RFC8900 describes a scenario that may be relevent to SDWAN path logic. (Section&nbsp;3.2. Policy-Based Routing)</P> <P>&nbsp;</P> <P>So I tested it.&nbsp; I had one path with a underlay MTU of 1500 and another path with a MTU at 1432.</P> <P>The SDWAN VIF properly showed a MTU of 1432. (Expected as per the KB above)</P> <P>As the bug report described above, I experienced a flurry of dropped packets due to fragmentation in my tests.</P> <P>&nbsp;</P> <P>After placing a MSS clamp (adjustment of 109) and the problem of drops went away.</P> <P>&nbsp;</P> <P>This lead me to hypothesis that the issue with&nbsp;<STRONG class="ph b">PAN-308564</STRONG>&nbsp;may be that the SDWAN VIF may be black holing PMTUD.</P> <P>&nbsp;</P> <P>No quesiton here, just sharing my recent observations.</P> Fri, 08 May 2026 01:12:35 GMT https://live.paloaltonetworks.com/t5/advanced-sd-wan-for-ngfw/pan-308564-known-issue/m-p/1253658#M62 JosephBedard 2026-05-08T01:12:35Z