03-28-2023 08:27 PM
I've read on here multiple posts, older and newer but I think part of my issue is that I'm new to this environment and I'm hoping for a bit of guidance. I took over 4 sites with PA-220 firewalls which were way out of date, I've just got them to 10.0.11 and yes I know I still have a few more to go.
All 4 sites have a ipsec tunnel to AWS, one of those sites is heavy with accessing network shares stored on AWS. I went through and read the document on When To Use Adjust MSS. Very helpful but here is my question that I'm hoping for a bit of guidance.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PN0gCAG
After walking through the document I now want to go in and set the MTU to 1360 and MSS to 140 bytes, I feel a good start after the results with the ping, If I'm understanding what I did and the results. I would like to know if the following is the correct spot in the interface to make these changes before I just go in and do it.
Network > Interfaces > Ethernet > ethernet 1/2 Layer 3 > Advanced
Management Profile MTU - 1360
Adjust TCP MSS Both ipv4 & 6 set to 140
Thank you
04-04-2023 08:57 PM
Hi @FMA-Admin ,
That is one of the places you can set MTU and MSS values. If you are looking to adjust the values for your tunnels, you will have to click on the tunnel interface itself.
Network -> Interfaces -> Tunnel -> Select the tunnel used for each VPN -> Advanced Tab
04-05-2023 08:01 AM
Tunnel interfaces have IPs configured and ping permitted on both sides?
If not then PMTUD packets might not be passed through and this can cause slowness.
MSS helps only with TCP but UDP sill needs to learn MTU limit the hard way.
04-05-2023 03:58 PM
Yeah I did look at the AWS tunnel settings, but I noticed they only had MTU, not MSS. IFor the tunnels the Management Profile set to None, MTU is empty.
04-07-2023 07:28 AM
Take a look at this KB
https://live.paloaltonetworks.com/t5/blogs/tcp-mss-adjustments-updated-february-2023/ba-p/156881
Also according to link below 'For TCP traffic over IPSec Tunnel, the Palo Alto Networks firewall will automatically adjust the TCP MSS in the three-way handshake.'
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClW3CAK
So instead of playing around with MTU and MSS confirm that PMTUD packets are utilized.
I am pretty sure you need to have management profile that permits ping on tunnel interface for that.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
