Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Who rated this post

Cyber Elite
Cyber Elite

Thank you for reply @Doyenadmin


The MTU issue is there regardless you apply permit access list or not. When the permit access list is not applied, it is masking the issue. What I think is happening is as follows:

The initial TCP 3 way handshake initiated by your PC is completed. These packets are small and do not carry any data, then your PC send SSL client Hello and Firewall replies with Server hello. The packet size is large as it contains all SSL related information. The size of this packet is exceeding MTU between Firewall and your PC while the DF bit is set. The node that is dropping this packet is sending back to Firewall ICMP Type 3 Code 4 to lower MTU using its own interface IP address as a source and this is part where the issue with permitted IP addresses comes in. The Firewall accepts only source IP addresses that you allow and intermediate node that is asking for lowering MTU is not in the permitted IP address list. In nutshell, if you knew the IP address of this node and put it in the permit list, then you would not have to lower MTU. With the list in place, this is breaking PMTU Discovery. This kind of issue is typically something with ISP that is out of your control.


Kind Regards


Help the community: Like helpful comments and mark solutions.
Who rated this post