topic Re: MTU problem PA-500 5.0.6 in General Topics

MTU problem PA-500 5.0.6

gmoss — Thu, 12 Jun 2014 07:30:29 GMT

I have a PA-500 5.0.6

From inside my network I see an MTU maximum of 1023. From outside through my ISP I see the MTU that I expect of 1492. Traffic through the PA sees an MTU of 1023. I haven't changed the interfaces. Is this possible to fix? Where in the PA config would I look?

bb33@bb33-vlinux:~  
$ ping -s 995 google.com
PING google.com (74.125.237.96) 995(1023) bytes of data.
1003 bytes from syd01s12-in-f0.1e100.net (74.125.237.96): icmp_req=1 ttl=52 time=29.8 ms
1003 bytes from syd01s12-in-f0.1e100.net (74.125.237.96): icmp_req=2 ttl=52 time=29.6 ms
^C
--- google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 29.673/29.782/29.892/0.204 ms
bb33@bb33-vlinux:~ 1 
$ ping -s 996 google.com
PING google.com (74.125.237.201) 996(1024) bytes of data.
^C
--- google.com ping statistics ---
36 packets transmitted, 0 received, 100% packet loss, time 35253ms

bb33@bb33-vlinux:~ 1 
$

Re: MTU problem PA-500 5.0.6

HULK — Thu, 12 Jun 2014 07:44:03 GMT

Please find below a screenshot and verify MTU on both ingress and egress interface of the PAN firewall. Also, could you please check "adjust MSS" option and do a test ( for TCP).

Thanks

Re: MTU problem PA-500 5.0.6

patmal — Thu, 12 Jun 2014 12:46:22 GMT

When you have zone protection on an interface the largest ICMP packet allowed is 1024 - TCP and ICMP header = 995. You can remove the ICMP large packet option in the zone protection profile

The Largest ICMP Packet Allowed with Zone Protection Enabled for Large ICMP Packets

Re: MTU problem PA-500 5.0.6

gmoss — Fri, 13 Jun 2014 01:33:40 GMT

When you have zone protection on an interface the largest ICMP packet allowed is 1024 - TCP and ICMP header = 995. You can remove the ICMP large packet option in the zone protection profile

I thought this might be it. It sounds right and has the right numbers but I unticked that option for my internal network and "ping -s 996 google.com" to outside still failed.

My bad. This is correct, but I had to add it to the egress interface (of course). Now I am seeing a max MTU of 1442 (1470). Not sure why it's not 1464 (1492).