topic Re: PA-220 Slow Response time connecting over ipsec tunnel to AWS. in General Topics

PA-220 Slow Response time connecting over ipsec tunnel to AWS.

FMA-Admin — Wed, 29 Mar 2023 03:27:10 GMT

I've read on here multiple posts, older and newer but I think part of my issue is that I'm new to this environment and I'm hoping for a bit of guidance. I took over 4 sites with PA-220 firewalls which were way out of date, I've just got them to 10.0.11 and yes I know I still have a few more to go.

All 4 sites have a ipsec tunnel to AWS, one of those sites is heavy with accessing network shares stored on AWS. I went through and read the document on When To Use Adjust MSS. Very helpful but here is my question that I'm hoping for a bit of guidance.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PN0gCAG

After walking through the document I now want to go in and set the MTU to 1360 and MSS to 140 bytes, I feel a good start after the results with the ping, If I'm understanding what I did and the results. I would like to know if the following is the correct spot in the interface to make these changes before I just go in and do it.

Network > Interfaces > Ethernet > ethernet 1/2 Layer 3 > Advanced

Management Profile MTU - 1360

Adjust TCP MSS Both ipv4 & 6 set to 140

Thank you

Re: PA-220 Slow Response time connecting over ipsec tunnel to AWS.

JayGolf — Wed, 05 Apr 2023 03:57:31 GMT

Hi @FMA-Admin ,

That is one of the places you can set MTU and MSS values. If you are looking to adjust the values for your tunnels, you will have to click on the tunnel interface itself.

Network -> Interfaces -> Tunnel -> Select the tunnel used for each VPN -> Advanced Tab

Re: PA-220 Slow Response time connecting over ipsec tunnel to AWS.

Raido_Rattameister — Wed, 05 Apr 2023 15:01:12 GMT

Tunnel interfaces have IPs configured and ping permitted on both sides?

If not then PMTUD packets might not be passed through and this can cause slowness.

MSS helps only with TCP but UDP sill needs to learn MTU limit the hard way.

Re: PA-220 Slow Response time connecting over ipsec tunnel to AWS.

FMA-Admin — Wed, 05 Apr 2023 22:58:43 GMT

Yeah I did look at the AWS tunnel settings, but I noticed they only had MTU, not MSS. IFor the tunnels the Management Profile set to None, MTU is empty.

Re: PA-220 Slow Response time connecting over ipsec tunnel to AWS.

Raido_Rattameister — Fri, 07 Apr 2023 14:28:09 GMT

Take a look at this KB

https://live.paloaltonetworks.com/t5/blogs/tcp-mss-adjustments-updated-february-2023/ba-p/156881

Also according to link below 'For TCP traffic over IPSec Tunnel, the Palo Alto Networks firewall will automatically adjust the TCP MSS in the three-way handshake.'

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClW3CAK

So instead of playing around with MTU and MSS confirm that PMTUD packets are utilized.

I am pretty sure you need to have management profile that permits ping on tunnel interface for that.