PA-220 Slow Response time connecting over ipsec tunnel to AWS.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PA-220 Slow Response time connecting over ipsec tunnel to AWS.

L1 Bithead

I've read on here multiple posts, older and newer but I think part of my issue is that I'm new to this environment and I'm hoping for a bit of guidance. I took over 4 sites with PA-220 firewalls which were way out of date, I've just got them to 10.0.11 and yes I know I still have a few more to go.

 

All 4 sites have a ipsec tunnel to AWS, one of those sites is heavy with accessing network shares stored on AWS. I went through and read the document on When To Use Adjust MSS. Very helpful but here is my question that I'm hoping for a bit of guidance.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PN0gCAG

 

After walking through the document I now want to go in and set the MTU to 1360 and MSS to 140 bytes, I feel a good start after the results with the ping, If I'm understanding what I did and the results. I would like to know if the following is the correct spot in the interface to make these changes before I just go in and do it.

 

Network > Interfaces > Ethernet > ethernet 1/2 Layer 3 > Advanced

Management Profile MTU - 1360

Adjust TCP MSS Both ipv4 & 6 set to 140

 

Thank you

InterfaceMTU.pngInterfaceMTUSetting.png

 

Wade Stolz
Advisory Desktop Services Analyst
Phone: 608.410.0902
4 REPLIES 4

Community Team Member

Hi @FMA-Admin ,

 

That is one of the places you can set MTU and MSS values. If you are looking to adjust the values for your tunnels, you will have to click on the tunnel interface itself. 

 

Network -> Interfaces -> Tunnel -> Select the tunnel used for each VPN -> Advanced Tab

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Cyber Elite
Cyber Elite

Tunnel interfaces have IPs configured and ping permitted on both sides?

If not then PMTUD packets might not be passed through and this can cause slowness.

 

MSS helps only with TCP but UDP sill needs to learn MTU limit the hard way.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Yeah I did look at the AWS tunnel settings, but I noticed they only had MTU, not MSS. IFor the tunnels the Management Profile set to None, MTU is empty. 

Wade Stolz
Advisory Desktop Services Analyst
Phone: 608.410.0902

Cyber Elite
Cyber Elite

Take a look at this KB

https://live.paloaltonetworks.com/t5/blogs/tcp-mss-adjustments-updated-february-2023/ba-p/156881

 

Also according to link below 'For TCP traffic over IPSec Tunnel, the Palo Alto Networks firewall will automatically adjust the TCP MSS in the three-way handshake.'

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClW3CAK

 

So instead of playing around with MTU and MSS confirm that PMTUD packets are utilized.

I am pretty sure you need to have management profile that permits ping on tunnel interface for that.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
  • 1862 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!