topic Re: Clear DF bit for VPN in General Topics

Clear DF bit for VPN

winterfrost — Thu, 23 Mar 2017 23:01:13 GMT

We have recently migrated our site-to-site VPN so it is now running between a PA-3020 > Cisco ASA 5510. After the migration we discovered that one of our cross-site applications broke and the vendor determined it was because their application communicates in 1472 byte packets with the DF bit set. On our old VPN this was not an issue because the devices cleared the DF bit, allowing the packets to be fragmented before crossing the tunnel.

I have found the option on the ASA to clear the DF bit (crypto ipsec df-bit clear-df <interface>), however I can't locate anything similar in the PA documentation.

Can someone please point me in the right direction? Thanks!

Re: Clear DF bit for VPN

ansharma — Fri, 24 Mar 2017 05:26:57 GMT

Hi Winterfrost,

Welcome to the community forums!

As far as I know, there is no option to clear the df bit, on PA. However, you can adjust MSS/MTU under Network->Interfaces.

Regards,

Anurag

Re: Clear DF bit for VPN

winterfrost — Fri, 31 Mar 2017 15:43:56 GMT

The connection is currently passing 1472-byte ping with the DF-bit set, but I'm not entirely clear how this works.

We have 1500 MTU set on the physical external interface and on the tunnel interface on the PA. At the remote site (Cisco ASA) we have the same MTU settings, but we had to turn on the option to clear the DF bit on the ASA to pass a DF-flagged 1472 byte ping. I assumed we needed to do the same on the PA, but as soon as we enabled it on the Cisco side, the pings started to go through.

So 1472 data + 20 IP header + 8 ICMP header = 1500. But this doesn't include IPSec overhead.

It's my understanding that a VPN device will typically evaluate a packet's size against the MTU, including the size of the IPSec header, and determine if fragmentation is needed. In the case of a packet flagged with the DF-bit, if this total size exceeds the MTU, the packet will be dropped... unless you tell the VPN device to ignore the DF-bit.

On the Cisco side this is what we did, so the packets are fragmented despite the DF-bit and the communication works. Is the PA doing the same thing automatically? Or (much more likely) am I completely misunderstanding something?

Re: Clear DF bit for VPN

amolm1 — Wed, 24 Jan 2024 16:41:26 GMT

A) To check DF override status:

> show system state | match ip4-ignore

sw.comm.s1.dp0.flow-data: { 'b_not_use_parent_policy': False, 'cclogmgmt-reject-all': False, 'combine-pkt-msg': True, 'cutthrough': True, 'distributed-sess-mgmt': False, 'dp-avg-load': 2, 'dp-cal-load': True, 'dp-load-level': 102, 'hw-ipv6': False, 'hw-mcast': False, 'hw-remove-req-cnt': 0, 'ip4-ignore-df': False, 'ip6-host-pmtu-exception-check': False, 'ip6-mcast-fwd-check': False, 'ip6-skip-1-routing-hdr-check': False, 'ip6-skip-ucast-mac-check': False, 'ipv6-firewalling': True, 'netflow-refresh-interval': 60, 'no-learning-return-mac': False, 'num-of-free-session': 1246, 'num-of-free-session-this-dp': 1246, 'process-cpu': 0, 'session-timeout-5gcdelete': 15, 'session-timeout-closing': 5, 'session-timeout-cp': 30, 'session-timeout-default': 30, 'session-timeout-discard_default': 60, 'session-timeout-discard_sctp': 30, 'session-timeout-discard_tcp': 90, 'session-timeout-discard_udp': 60, 'session-timeout-forward': 10, 'session-timeout-gtpc_request': 90, 'session-timeout-icmp': 6, 'session-timeout-opening': 5, 'session-timeout-scan': 10, 'session-timeout-sctp': 3600, 'session-timeout-sctpcookie': 60, 'session-timeout-sctpinit': 5, 'session-timeout-sctpshutdown': 60, 'session-timeout-tcp': 3600, 'session-timeout-tcp_unverif_rst': 30, 'session-timeout-tcphalfclosed': 120, 'session-timeout-tcphandshake': 10, 'session-timeout-tcpinit': 5, 'session-timeout-tcptimewait': 15, 'session-timeout-udp': 30, 'tcp-reject-nonsyn': True, }

B) To set DF override status:

> debug dataplane set ip4-ignore-df yes

> show system state | match ip4-ignore

sw.comm.s1.dp0.flow-data: { 'b_not_use_parent_policy': False, 'cclogmgmt-reject-all': False, 'combine-pkt-msg': True, 'cutthrough': True, 'distributed-sess-mgmt': False, 'dp-avg-load': 2, 'dp-cal-load': True, 'dp-load-level': 102, 'hw-ipv6': False, 'hw-mcast': False, 'hw-remove-req-cnt': 0, 'ip4-ignore-df': True, 'ip6-host-pmtu-exception-check': False, 'ip6-mcast-fwd-check': False, 'ip6-skip-1-routing-hdr-check': False, 'ip6-skip-ucast-mac-check': False, 'ipv6-firewalling': True, 'netflow-refresh-interval': 60, 'no-learning-return-mac': False, 'num-of-free-session': 1246, 'num-of-free-session-this-dp': 1246, 'process-cpu': 0, 'session-timeout-5gcdelete': 15, 'session-timeout-closing': 5, 'session-timeout-cp': 30, 'session-timeout-default': 30, 'session-timeout-discard_default': 60, 'session-timeout-discard_sctp': 30, 'session-timeout-discard_tcp': 90, 'session-timeout-discard_udp': 60, 'session-timeout-forward': 10, 'session-timeout-gtpc_request': 90, 'session-timeout-icmp': 6, 'session-timeout-opening': 5, 'session-timeout-scan': 10, 'session-timeout-sctp': 3600, 'session-timeout-sctpcookie': 60, 'session-timeout-sctpinit': 5, 'session-timeout-sctpshutdown': 60, 'session-timeout-tcp': 3600, 'session-timeout-tcp_unverif_rst': 30, 'session-timeout-tcphalfclosed': 120, 'session-timeout-tcphandshake': 10, 'session-timeout-tcpinit': 5, 'session-timeout-tcptimewait': 15, 'session-timeout-udp': 30, 'tcp-reject-nonsyn': True, }

Re: Clear DF bit for VPN

M.Lampe — Tue, 01 Apr 2025 18:05:22 GMT

Will the change below persist after a reboot, or will it be lost?"

debug dataplane set ip4-ignore-df yes

Re: Clear DF bit for VPN

OtakarKlier — Wed, 02 Apr 2025 20:02:03 GMT

Hello,

Once you 'commit' the change, it is written to the config and will persist after reboots.

Regards,