Hello LiveCommunity Team!
I created this post to share my experience regarding an issue involving the NordLayer VPN for internal users behind an NGFW causing losing their entire Internet connectivity after 5 minutes:
Steps taken to resolve the issue:
1- Verify the NordLayer virtual adapter MTU:
On the laptop, I check the MTU value of the virtual adapter for the NordLayer VPN, which shows a default value of 1420 bytes, as shown below:
TEST USER INTERFACES MTU VALUES
The test user changed the MTU of the NordLayer virtual adapter to 1380 bytes and the VPN worked perfectly, without the user losing Internet access.
2- Take a Wireshark capture for the Ethernet/Wi-Fi adapter of the test user:
To identify NordLayer's destination public IP address and the protocol used by the VPN, it was discovered that WireGuard was being used:
TEST USER PACKET CAPTURE ETHERNET ADAPTER
Note: The test user private IP is 10.3.9.227 and the NordLayer VPN public IP is 67.227.X.X
3- Perform a packet capture on the NGFW and check the global counters:
The traffic from the NGFW to the NordLayer IP 67.227.X.X is captured when the navigation failure is detected on the test user machine, where packets in the drop stage on the NGFW are seen, because these response IP packets from NordLayer 67.227.X.X to the NGFW's public IP are received as IP fragmented, possibly by some equipment in the middle that fragments them because It cannot process all data and the VPN are using the WireGuard UDP protocol without the "Do Not Fragment" bit being active in the IPv4 header.
NGFW DROP STAGE PACKET CAPTURE
Note: The NordLayer IP is 67.227.X.X and the NGFW public IP is 200.X.X.X
This NGFW's packet capture filter was configured as follows:
1- INTERNAL USER TO NORDLAYER
Source: Test User Private IP (10.3.9.227 )
Destination: NordLayer Public IP (67.227.X.X)
2- NORDLAYER TO NGFW
Source: NordLayer Public IP (67.227.X.X)
Destination: NGFW Public IP (200.X.X.X)
With the above packet capture filter configured, I check the NGFW's global counters and see the following discard counter several times:
admin@FW> show counter global filter packet-filter yes delta yes | match drop
flow_dos_pf_ipfrag 1424 12 drop flow dos Packets dropped: Zone protection option 'discard-ip-frag'
Therefore, as an alternative solution, I go to the Zone Protection Profile used for the Outside security zone and disable the "Fragmented Traffic" feature as below:
NGFW ZONE PROTECTION ATTACH TO THE OUTSIDE ZONE
Following this change, the functionality of the NordLayer VPN is confirmed, even maintaining the NordLayer virtual adapter's MTU at the default value of 1420 bytes!
Conclusions:
- When the test user changes the NordLayer virtual adapter's MTU to 1380 bytes, it helps devices along the path handle each packet without fragmentation and prevents the NGFW from receiving and discarding fragmented IP packets, allowing the NordLayer VPN to function as expected. However, this solution is not scalable for a production environment with many users.
- The Zone Protection Profile was discarding fragmented IP packets from NordLayer due to the "Fragmented Traffic" feature enabled in Packet Based Attack Protection tab.
- Some device on the return path was fragmenting the NordLayer IP packets because the VPN packets were using IPv4 headers without the DF bit enabled.
Thank you for your time, and I hope this information is helpful in your daily cybersecurity work. I would greatly appreciate your support by liking or accepting this as a useful post; it would help me a lot in becoming a CyberElite!
Best Regards,
Daniel Romero
Senior Network/Security Engineer
PANW Partner
NGFW #PAN-OS #VPN #ZoneProtection #ZPP #MTU
