- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
03-10-2015 09:26 PM
Got an odd issue I was hoping someone may have seen.
PA 500 setting up a 4 port LACP bond to juniper switches. Running PanOS 6.1.2
Setup the LACP bond on both ends, LACP would not negotiate. Spent many hours wtf’ing, couldn’t find anything odd anywhere, other LACP bonds we’ve setup previously work perfectly.
Eventually looking at other config snippets (We don’t run these switches so what I get to see is pretty limited) discover the MTU on juniper switches is 1514 (I do extreme networks and cisco so wasn’t expecting this) by default.
If we set the juniper ports to 1500, the bond comes up.
However, from what I have read, the 1514 mtu that juniper uses, includes the Ethernet header data, which in the cisco (and palo alto, and every other vendor known to man) is not included in the count. So effectively the data layer the juniper is putting out is 1500 less the Ethernet data.
By us forcing the Juniper to 1500, it has now lowered the data mtu to 1486 which is now going to cause fragmentation on the network, however the LACP bond connects.
Here is the juniper calculation:
Application Data (1472 Bytes) + ICMP Header (8 Bytes) + IPV4 Header (20 Bytes) + Ethernet Header (14 Bytes) = 1514 Bytes , Which will be the default MTU size of the Juniper Ethernet port.
And the rest of the world calculation:
APP-DATA + ICMP HEADER + IPV4 HEADER. Which comes to 1500 byes.
So. Where to from here? I can adjust the MTU on every juniper to 1500, however we would then need to adjust every workstation, laptop, tablet, printer to the same to avoid fragmentation
The PA only goes up to 1500 so I can't adjust that, and even if I could, its likley to cause other issues elsewhere.
Keen on any ideas you may have one this!
03-11-2015 07:52 PM
Why you need to adjust MTU on every workstation? Mostly you will find 1500 bytes MTU on client side machines. And TCP stack take cares for MSS size based upon MTU. Moreover on PA you can adjust the MSS size sent in SYN packets. And UDP based the applications keeps the payload size such that single packet can carry meaningful information for request and response. The 1500 MTU is enough in most of the cases for UDP based applications. If some tunneling using UDP then fragmentation is very difficult to stop.
03-11-2015 07:52 PM
Why you need to adjust MTU on every workstation? Mostly you will find 1500 bytes MTU on client side machines. And TCP stack take cares for MSS size based upon MTU. Moreover on PA you can adjust the MSS size sent in SYN packets. And UDP based the applications keeps the payload size such that single packet can carry meaningful information for request and response. The 1500 MTU is enough in most of the cases for UDP based applications. If some tunneling using UDP then fragmentation is very difficult to stop.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!