Clear DF bit for VPN

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Clear DF bit for VPN

L0 Member

We have recently migrated our site-to-site VPN so it is now running between a PA-3020 > Cisco ASA 5510.  After the migration we discovered that one of our cross-site applications broke and the vendor determined it was because their application communicates in 1472 byte packets with the DF bit set.  On our old VPN this was not an issue because the devices cleared the DF bit, allowing the packets to be fragmented before crossing the tunnel.

 

I have found the option on the ASA to clear the DF bit (crypto ipsec df-bit clear-df <interface>), however I can't locate anything similar in the PA documentation.

 

Can someone please point me in the right direction?  Thanks!

3 REPLIES 3

L4 Transporter

Hi Winterfrost,

 

Welcome to the community forums!

 

As far as I know, there is no option to clear the df bit, on PA. However, you can adjust MSS/MTU under Network->Interfaces.

 

Regards,

Anurag

================================================================
ACE 7.0, 8.0, PCNSE 7

The connection is currently passing 1472-byte ping with the DF-bit set, but I'm not entirely clear how this works.

 

We have 1500 MTU set on the physical external interface and on the tunnel interface on the PA.  At the remote site (Cisco ASA) we have the same MTU settings, but we had to turn on the option to clear the DF bit on the ASA to pass a DF-flagged 1472 byte ping.  I assumed we needed to do the same on the PA, but as soon as we enabled it on the Cisco side, the pings started to go through.

 

So 1472 data + 20 IP header + 8 ICMP header = 1500.  But this doesn't include IPSec overhead.

 

It's my understanding that a VPN device will typically evaluate a packet's size against the MTU, including the size of the IPSec header, and determine if fragmentation is needed.  In the case of a packet flagged with the DF-bit, if this total size exceeds the MTU, the packet will be dropped... unless you tell the VPN device to ignore the DF-bit.

 

On the Cisco side this is what we did, so the packets are fragmented despite the DF-bit and the communication works.  Is the PA doing the same thing automatically?  Or (much more likely) am I completely misunderstanding something?

L0 Member

A) To check DF override status:

 

> show system state | match ip4-ignore


sw.comm.s1.dp0.flow-data: { 'b_not_use_parent_policy': False, 'cclogmgmt-reject-all': False, 'combine-pkt-msg': True, 'cutthrough': True, 'distributed-sess-mgmt': False, 'dp-avg-load': 2, 'dp-cal-load': True, 'dp-load-level': 102, 'hw-ipv6': False, 'hw-mcast': False, 'hw-remove-req-cnt': 0, 'ip4-ignore-df': False, 'ip6-host-pmtu-exception-check': False, 'ip6-mcast-fwd-check': False, 'ip6-skip-1-routing-hdr-check': False, 'ip6-skip-ucast-mac-check': False, 'ipv6-firewalling': True, 'netflow-refresh-interval': 60, 'no-learning-return-mac': False, 'num-of-free-session': 1246, 'num-of-free-session-this-dp': 1246, 'process-cpu': 0, 'session-timeout-5gcdelete': 15, 'session-timeout-closing': 5, 'session-timeout-cp': 30, 'session-timeout-default': 30, 'session-timeout-discard_default': 60, 'session-timeout-discard_sctp': 30, 'session-timeout-discard_tcp': 90, 'session-timeout-discard_udp': 60, 'session-timeout-forward': 10, 'session-timeout-gtpc_request': 90, 'session-timeout-icmp': 6, 'session-timeout-opening': 5, 'session-timeout-scan': 10, 'session-timeout-sctp': 3600, 'session-timeout-sctpcookie': 60, 'session-timeout-sctpinit': 5, 'session-timeout-sctpshutdown': 60, 'session-timeout-tcp': 3600, 'session-timeout-tcp_unverif_rst': 30, 'session-timeout-tcphalfclosed': 120, 'session-timeout-tcphandshake': 10, 'session-timeout-tcpinit': 5, 'session-timeout-tcptimewait': 15, 'session-timeout-udp': 30, 'tcp-reject-nonsyn': True, }

 

B) To set DF override status:

 

> debug dataplane set ip4-ignore-df yes

> show system state | match ip4-ignore

 

sw.comm.s1.dp0.flow-data: { 'b_not_use_parent_policy': False, 'cclogmgmt-reject-all': False, 'combine-pkt-msg': True, 'cutthrough': True, 'distributed-sess-mgmt': False, 'dp-avg-load': 2, 'dp-cal-load': True, 'dp-load-level': 102, 'hw-ipv6': False, 'hw-mcast': False, 'hw-remove-req-cnt': 0, 'ip4-ignore-df': True, 'ip6-host-pmtu-exception-check': False, 'ip6-mcast-fwd-check': False, 'ip6-skip-1-routing-hdr-check': False, 'ip6-skip-ucast-mac-check': False, 'ipv6-firewalling': True, 'netflow-refresh-interval': 60, 'no-learning-return-mac': False, 'num-of-free-session': 1246, 'num-of-free-session-this-dp': 1246, 'process-cpu': 0, 'session-timeout-5gcdelete': 15, 'session-timeout-closing': 5, 'session-timeout-cp': 30, 'session-timeout-default': 30, 'session-timeout-discard_default': 60, 'session-timeout-discard_sctp': 30, 'session-timeout-discard_tcp': 90, 'session-timeout-discard_udp': 60, 'session-timeout-forward': 10, 'session-timeout-gtpc_request': 90, 'session-timeout-icmp': 6, 'session-timeout-opening': 5, 'session-timeout-scan': 10, 'session-timeout-sctp': 3600, 'session-timeout-sctpcookie': 60, 'session-timeout-sctpinit': 5, 'session-timeout-sctpshutdown': 60, 'session-timeout-tcp': 3600, 'session-timeout-tcp_unverif_rst': 30, 'session-timeout-tcphalfclosed': 120, 'session-timeout-tcphandshake': 10, 'session-timeout-tcpinit': 5, 'session-timeout-tcptimewait': 15, 'session-timeout-udp': 30, 'tcp-reject-nonsyn': True, }

  • 7424 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!