Does anyone know if the maximum permitted UDP packet size follow the MTU setting? or is there a specific setting for this?
I need to understand if the PA automatically allows UDP packet sizes over 512 bytes
a udp-packet without fragmentation is limited by the mtu ( for ethernet it is 1500 bytes payload). But is there a router, gateway etc. between the source/destination the mtu could be different. In this case the lowest mtu-size will be taken (path-mtu). the mtu-size is a parameter of an interface and is usually modifiable.
You can go to the Network---> interface tab----> and then the interface and go to the advanced setting.
you will see configurable MTU and an option for adjust TCP MSS.
Below is the explanation for both of them
MTU—Enter the maximum transmission unit (MTU) in bytes for packets sent on this Layer 3 interface (512 to 1500, default 1500). If machines on either side of the firewall perform Path MTU Discovery (PMTUD), the MTU value will be returned in an ICMP fragmentation needed message indicating that the MTU is too large.
Adjust TCP MSS—If you select this check box, the maximum segment size (MSS) is adjusted to 40 bytes less than the interface MTU. This setting addresses the situation in which a tunnel through the network requires a smaller MSS. If a packet cannot fit within the MSS without fragmenting, this setting allows an adjustment to be made.
Hopefully this helps.
In Device -> Setup -> Session you can also for some models enable "Jumbo Frame" and there select a jumbo frame size (MTU) of up to 9192 bytes (I guess this number is a MTU=9000 with addition of all sorts of headers the packet might have like 802.1Q and so on).
UDP doesn't support PMTUD so turning on "Adjust TCP MSS" won't help in your situation, you can check the MTU settings on your PA device by using the command - "show routing fib" and to check if jumbo frames are enabled - "show system setting jumbo-frame" if your device supports it.
A simple way to find the max MTU between two nodes is using the ping command (on Windows box) using the -f and -l options, start by doing a ping from device A to device B using - ping -f <device B ip> -l 1472 (28bytes overhead) . If the MTU along the whole path is 1500 you should receive a "reply from <device B ip> " message but if the MTU is lower you get the "Packets need to be fragmented but DF set" message. If you get the latter message keep dropping the -l option on the ping command by 10 or 20 bytes till you get a "reply from <device B ip>" message and that + 28 bytes is your max MTU.
If the 2 devices are on different networks then it will more than likely pass through a router or firewall that blocks ICMP traffic and won't respond to a ping. In this case you can still use the same method only that when the packet size is within the MTU you'll just get a "request timed out message" but still should get the "Packets need to be fragmented but DF set" when the packet is to large.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!