How to Verify MTU Size Exceeded
Resolution
Overview
This document describes how to verify MTU size and configure it on the interface.
Details
Look for the following global counters which indicate a drop on flow_fwd_mtu_exceeded:
> show counter global filter packet-filter yes delta yes
:flow_fwd_mtu_exceeded 7 0 info flow forward Packets lengths exceeded MTU
:flow_fwd_ip_df 5 0 drop flow forward Packets dropped: exceeded MTU but DF bit present
The above counters appear when the MTU size is less than 1500. If drops are seen on the counters specified above, set the MTU size for the applicable interface to 1500.
Go to Network > Interface > Ethernet1/3 > Advanced > MTU to configure the MTU value.
Also, via the CLI, you can check the MTU size with the following command:
> show interface ethernet1/3
--------------------------------------------------------------------------------
Name: ethernet1/3, ID: 18
Link status:
Runtime link speed/duplex/state: 1000/full/up
Configured link speed/duplex/state: auto/auto/auto
MAC address:
Port MAC address 00:1b:17:a6:41:12
Operation mode: layer3
Untagged sub-interface support: no
--------------------------------------------------------------------------------
Name: ethernet1/3, ID: 18
Operation mode: layer3
Virtual router default
Interface MTU 1500
Interface IP address: 10.66.24.60/23
Interface management profile: ping-only
ping: yes telnet: no ssh: no http: no https: no
snmp: no response-pages: no
Verify if the DF bit (Do not Fragment) is set to 1 in the packets received on the Palo Alto Networks firewall by looking at WireShark captures. Check for the MTU value of the packets received by the firewall and the MTU value of the interface. If the value on receiving packets exceed the value set on the interface, then the firewall would drop the packets giving the above counter values.
Note: When MTU size is exceeded, it may cause issues loading some websites.
owner: ssunku