This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

SD-WAN adjust MSS - PAN-OS

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SD-WAN adjust MSS - PAN-OS

peter.vandereijk
L0 Member

‎10-30-2023 06:57 AM

I'd like to understand if Palo Alto SD-WAN automatically changes (or can change) the MSS value in the TCP 3 way handshake.

SD-WAN checks the underlaying tunnel interfaces on their MTU and applies the minimum MTU to the related SD-WAN interface.

 

When checking an SD-WAN interface you can check the Interface MTU (in the example 1423).

The "Adjust TCP MSS" is set to no

 

Is it possible to set the Adjust TCP MSS to yes so this value is automatically set to the SD-WAN interface MTU - 40?

Or tis this already applied by the SD-WAN functionality. (For Prisma SD-WAN  this was introduced in 5.4.1)

 

Name: sdwan.949, ID: 245
Operation mode: layer3
Virtual router vr1
Interface MTU 1423
Interface management profile: N/A
Service configured:
Zone: zone-to-branch, virtual system: vsys1
Adjust TCP MSS: no
Ignore IPv4 DF: no
Policing: no
SD-WAN interface members: tunnel.xx,tunnel.xx

 

 

0 Likes Likes
1 REPLY 1

WtrN06
L1 Bithead

‎02-07-2024 06:49 AM

 

I have a followup question for this one..

 

I've read https://live.paloaltonetworks.com/t5/community-blogs/tcp-mss-adjustments-updated-february-2023/ba-p/... together with all the extra included KB articles.

But it's still unclear to me how I can manualy manipulate the MSS-value of tunnels set up by the SD-WAN pluging.

The KB states that the MSS is automaticly adjusted by the FW itself, but in my case these are still too high.


According the KB articles I can change these values in the tunnel-interface. But all these examples are based on IPSec tunnels set up manualy.

 

If I change these values of the tunnels generated by the SDWAN-plugin, will I break this feature? Is it overwritten with a next policy push?

 

It would be great to change these values in Panorama and push them, but I know the SDWAN pluging doesn't work that way.

 

 

0 Likes Likes
  • 1879 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks