Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 3 replies
  • Subscribers 29 subscribers
  • Views 878 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

MTU/MSS Oddness?

Amir Khanna

We have an IKEv2 IPSec tunnel between two Sophos XG Firewall appliances in a corporate system for a remote site.

We don't have any specialized MSS or MTU settings other than what the IPSec tunnel already applies.

Our IPSec configuration profile for the handshake of IKEv2 IPSec tunnels fits the following profile:

... and the tunnel is established.

HOWEVER we're seeing a huge skew from expected traffic - the MSS is 1382 bytes, but we don't seem to be able to replicate this in our calculations.

MTU on the actual network links between everything is 1500 MTU (ISP uplink, Ethernet MTUs internally, etc.) so we're headscratching a little bit here on how the MSS is being calculated here.

If this is, ultimately, a cause of the Sophos XG IPSec tunnel doing MSS clamping internally, then this makes sense, but a breakdown of its encapsulation and calculations would be appreciated if someone is privy to the 'defaults' at play here. Expected MSS per all sane calculations would STILL be a standard 1472, except between the two XGs it's much lower than that, so if anyone's familiar with why this is the case, your insight would be appreciated - it makes zero sense logically.



This thread was automatically locked due to age.
Parents
  • 0

    The MSS is set by the host sending the SYN. Each side sets its MSS in the SYN to tell the other side what MSS it can handle, and the MSS can be different in each direction. A tunnel will lower the MTU in the path because of the tunnel overhead. Really, your hosts and applications should be using PMTUD. 

Reply
  • 0

    The MSS is set by the host sending the SYN. Each side sets its MSS in the SYN to tell the other side what MSS it can handle, and the MSS can be different in each direction. A tunnel will lower the MTU in the path because of the tunnel overhead. Really, your hosts and applications should be using PMTUD. 

Children
  • 0 in reply to Asim Raza1

    I'm operating on the assumption that's the case in Windows systems, but this is most identifiable when we're dealing with old-style Folder Redirection / SMB traffic between remote office and primary office, whereby it's extremely unusually slow traffic behavior. Worst case we'll have to force an MSS / MTU on the firewall, but we've been trying to rule out the MTU / MSS as the factor in the 'slowness' - small things like ping, etc. are extremely fast over the tunnel, but still seeing those MSS values - but it was my assumption that the MSS value alone might've been 'unusual' in this case..