CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Page 2 of 2 FirstFirst 12
Results 21 to 33 of 33

Thread: MTU issues: packets are always fragmented by firewall!

  1. #21
    Join Date
    2012-08-06
    Posts
    62
    Rep Power
    7

    Default Re: MTU issues: packets are always fragmented by firewall!

    Quote Originally Posted by cciesec2006 View Post
    Did you install Jumbo hotfix 56?
    R8810 JHF56 was installed all the time.

  2. #22
    Join Date
    2012-08-06
    Posts
    62
    Rep Power
    7

    Default Re: MTU issues: packets are always fragmented by firewall!

    Quote Originally Posted by cciesec2006 View Post
    Did you install Jumbo hotfix 56? Did it make any differences?
    Ehm. What does this have to do with R7720 forwarding packets larger than the interface MTU? (as it seems)

  3. #23
    Join Date
    2012-08-06
    Posts
    62
    Rep Power
    7

    Default Re: MTU issues: packets are always fragmented by firewall!

    That's it. The MTU discrepancy on the link was at fault. In fact the old appliance running R77 was also at fault because it should never have let the traffic pass.

    The new appliance with R80 correctly enforces the MTU (drops the packets).
    Last edited by jeronimo; 2018-02-05 at 14:26.

  4. #24
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,637
    Rep Power
    9

    Default Re: MTU issues: packets are always fragmented by firewall!

    Is there a Vpn behind the firewall? Just wondering if that is the reason for the lowered mtu. If so that device should be clamping the mss in a perfect world.

  5. #25
    Join Date
    2012-08-06
    Posts
    62
    Rep Power
    7

    Default Re: MTU issues: packets are always fragmented by firewall!

    Quote Originally Posted by jflemingeds View Post
    Is there a Vpn behind the firewall? Just wondering if that is the reason for the lowered mtu. If so that device should be clamping the mss in a perfect world.
    I don't know what exactly they're running on the network(s) behind the interface with the lowered MTU, there are probably tunnels and crypto and stuff.

    They do clamp the MSS, but that doesn't help if there is an MTU mismatch on the link.

  6. #26
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,637
    Rep Power
    9

    Default Re: MTU issues: packets are always fragmented by firewall!

    Quote Originally Posted by jeronimo View Post
    I don't know what exactly they're running on the network(s) behind the interface with the lowered MTU, there are probably tunnels and crypto and stuff.

    They do clamp the MSS, but that doesn't help if there is an MTU mismatch on the link.
    It should. If the mss is clamped to a low enough level you always be under mtu for tcp traffic at least.

  7. #27
    Join Date
    2012-08-06
    Posts
    62
    Rep Power
    7

    Default Re: MTU issues: packets are always fragmented by firewall!

    Quote Originally Posted by jflemingeds View Post
    It should. If the mss is clamped to a low enough level you always be under mtu for tcp traffic at least.
    For this to make misconfigurations have no effect in 100% of the cases you would need to set MSS ridiculously low, which is probably not a very optimal solution ;-)

    The problem is clear now: R7720 (our old appliances) just didn't care about the incoming MTU. That's a fact.

  8. #28
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,231
    Rep Power
    13

    Default Re: MTU issues: packets are always fragmented by firewall!

    Quote Originally Posted by jeronimo View Post
    For this to make misconfigurations have no effect in 100% of the cases you would need to set MSS ridiculously low, which is probably not a very optimal solution ;-)

    The problem is clear now: R7720 (our old appliances) just didn't care about the incoming MTU. That's a fact.
    Er yes that is by design, MTU stands for Maximum Transmission Unit. It only controls the frame size for frames leaving/transmitting. Incoming frames can be larger than the MTU and will be accepted by Gaia/Linux, the only way to influence the remote system to send smaller frames is to lower its MTU, or clamp the TCP segment size down via MSS to make the packets (and therefore frames) smaller.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  9. #29
    Join Date
    2008-07-31
    Location
    Netherlands, Europe
    Posts
    1,144
    Rep Power
    12

    Default Re: MTU issues: packets are always fragmented by firewall!

    Clamping MSS is ALWAYS better than allowing fragmentation. Instead of chopping the packet in 2 packets and adding overhead, you tell both sides that the MSS is lower, as an MSP we have a lot of customers with IP-SEC Backup connections, where the mss is lowered by default top a value close to 1300.
    A simple program called tcpoptimizer is a windows tool to find the MTU used on the link to a specific host, lower that number by 40 and use that as the MSS clamping value.

    We have seen performance increases on a low speed connection with fragmentation to the same line with MSS clamping turned on of up to 180%...

    When you want to read a really good article about this look at this and take a very good look at scenario 9
    Last edited by msjouw; 2018-02-06 at 12:43.
    Regards, Maarten.
    Triple MDS on R77.30, MDS on R80.10, VSX, GAIA.

  10. #30
    Join Date
    2012-08-06
    Posts
    62
    Rep Power
    7

    Default Re: MTU issues: packets are always fragmented by firewall!

    Quote Originally Posted by ShadowPeak.com View Post
    Er yes that is by design, MTU stands for Maximum Transmission Unit. It only controls the frame size for frames leaving/transmitting. Incoming frames can be larger than the MTU and will be accepted by Gaia/Linux, the only way to influence the remote system to send smaller frames is to lower its MTU, or clamp the TCP segment size down via MSS to make the packets (and therefore frames) smaller.
    I can't confirm that on our new 5600 appliances.

    These people at Cisco also don't think about it the way you describe: https://supportforums.cisco.com/t5/l...e/td-p/2004157

  11. #31
    Join Date
    2012-08-06
    Posts
    62
    Rep Power
    7

    Default Re: MTU issues: packets are always fragmented by firewall!

    Quote Originally Posted by ShadowPeak.com View Post
    Er yes that is by design, MTU stands for Maximum Transmission Unit. It only controls the frame size for frames leaving/transmitting. Incoming frames can be larger than the MTU and will be accepted by Gaia/Linux, the only way to influence the remote system to send smaller frames is to lower its MTU, or clamp the TCP segment size down via MSS to make the packets (and therefore frames) smaller.
    Code:
    [Expert@ckpt:0]# ethtool -S eth5 | grep -e err
         rx_crc_errors: 0
         rx_missed_errors: 0
         tx_aborted_errors: 0
         tx_carrier_errors: 0
         tx_window_errors: 0
         tx_deferred_ok: 0
         rx_long_length_errors: 5152 <------------
         rx_short_length_errors: 0
         rx_align_errors: 0
         rx_errors: 5152
         tx_errors: 0
         rx_length_errors: 5152
         rx_over_errors: 0
         rx_frame_errors: 0
         rx_fifo_errors: 0
         tx_fifo_errors: 0
         tx_heartbeat_errors: 0
         rx_queue_0_csum_err: 0
    There can be RX errors :)

  12. #32
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,231
    Rep Power
    13

    Default Re: MTU issues: packets are always fragmented by firewall!

    Quote Originally Posted by jeronimo View Post
    Code:
    [Expert@ckpt:0]# ethtool -S eth5 | grep -e err
         rx_crc_errors: 0
         rx_missed_errors: 0
         tx_aborted_errors: 0
         tx_carrier_errors: 0
         tx_window_errors: 0
         tx_deferred_ok: 0
         rx_long_length_errors: 5152 <------------
         rx_short_length_errors: 0
         rx_align_errors: 0
         rx_errors: 5152
         tx_errors: 0
         rx_length_errors: 5152
         rx_over_errors: 0
         rx_frame_errors: 0
         rx_fifo_errors: 0
         tx_fifo_errors: 0
         tx_heartbeat_errors: 0
         rx_queue_0_csum_err: 0
    There can be RX errors :)
    I stand corrected, got this situation confused with TSO issues mentioned in sk41942. Very bad memories of that one, enough to briefly mention it in my book.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  13. #33
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,637
    Rep Power
    9

    Default Re: MTU issues: packets are always fragmented by firewall!

    Quote Originally Posted by msjouw View Post
    Clamping MSS is ALWAYS better than allowing fragmentation. Instead of chopping the packet in 2 packets and adding overhead, you tell both sides that the MSS is lower, as an MSP we have a lot of customers with IP-SEC Backup connections, where the mss is lowered by default top a value close to 1300.
    A simple program called tcpoptimizer is a windows tool to find the MTU used on the link to a specific host, lower that number by 40 and use that as the MSS clamping value.

    We have seen performance increases on a low speed connection with fragmentation to the same line with MSS clamping turned on of up to 180%...

    When you want to read a really good article about this look at this and take a very good look at scenario 9
    I donít get why anyone would want to use pmtu over mss. Maybe because pmtu is semi auto? Shrug. Just seems like it is better to not rely on a 2nd protocol to figure out mss when it can be handled with just tcp. Well right writing this I though of md5 based bgp.

Page 2 of 2 FirstFirst 12

Similar Threads

  1. H.323 Issues over VPN - Lots of out of state packets
    By DZelenak in forum Firewall Blade
    Replies: 3
    Last Post: 2014-09-15, 12:50
  2. Firewall dropping EDNS packets, smartdefense is turned off
    By B A Booracus in forum Content Security/Security Servers/CVP/UFP
    Replies: 1
    Last Post: 2010-07-22, 16:17
  3. Firewall Intermittently Drops packets
    By tdvit in forum SmartDashboard
    Replies: 4
    Last Post: 2008-09-11, 12:54
  4. Nokia Firewall performance on small packets
    By tohhwee72 in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 6
    Last Post: 2008-04-30, 07:39
  5. Video streaming packets through the firewall
    By hono222 in forum Versions Of Firewall-1/VPN-1
    Replies: 0
    Last Post: 2007-01-12, 19:40

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •