This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

MTU problem PA-500 5.0.6

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

MTU problem PA-500 5.0.6

gmoss
L1 Bithead

‎06-12-2014 12:30 AM

I have a PA-500 5.0.6

From inside my network I see an MTU maximum of 1023.  From outside through my ISP I see the MTU that I expect of 1492.  Traffic through the PA sees an MTU of 1023.  I haven't changed the interfaces.  Is this possible to fix?  Where in the PA config would I look?

bb33@bb33-vlinux:~  
$ ping -s 995 google.com
PING google.com (74.125.237.96) 995(1023) bytes of data.
1003 bytes from syd01s12-in-f0.1e100.net (74.125.237.96): icmp_req=1 ttl=52 time=29.8 ms
1003 bytes from syd01s12-in-f0.1e100.net (74.125.237.96): icmp_req=2 ttl=52 time=29.6 ms
^C
--- google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 29.673/29.782/29.892/0.204 ms
bb33@bb33-vlinux:~ 1 
$ ping -s 996 google.com
PING google.com (74.125.237.201) 996(1024) bytes of data.
^C
--- google.com ping statistics ---
36 packets transmitted, 0 received, 100% packet loss, time 35253ms

bb33@bb33-vlinux:~ 1 
$
Labels:
0 Likes Likes
3 REPLIES 3

HULK
L7 Applicator

‎06-12-2014 12:44 AM

Please find below a screenshot and verify MTU on both ingress and egress interface of the PAN firewall. Also, could you please check "adjust MSS" option and do a test ( for TCP).

MTU.JPG

Thanks

0 Likes Likes

patmal
L1 Bithead

‎06-12-2014 05:46 AM

When you have zone protection on an interface the largest ICMP packet allowed is 1024 - TCP and ICMP header = 995. You can remove the ICMP large packet option in the zone protection profile

The Largest ICMP Packet Allowed with Zone Protection Enabled for Large ICMP Packets

gmoss
L1 Bithead
In response to patmal

‎06-12-2014 06:33 PM 

When you have zone protection on an interface the largest ICMP packet allowed is 1024 - TCP and ICMP header = 995. You can remove the ICMP large packet option in the zone protection profile

I thought this might be it.  It sounds right and has the right numbers but I unticked that option for my internal network and "ping -s 996 google.com" to outside still failed.

My bad.  This is correct, but I had to add it to the egress interface (of course).  Now I am seeing a max MTU of 1442 (1470).  Not sure why it's not 1464 (1492).

0 Likes Likes
  • 3140 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks