topic Re: FTD IPSec MSS in Network Security

FTD IPSec MSS

JACQUES DU PLESSIS — Thu, 29 Aug 2024 07:05:48 GMT

Hi Guys,

We have a FTD terminating a few IPSec tunnels. One of them are having connectivity issues with larger packets so we suspect that there is a smaller MTU set somewhere towards the destination. As far as I know the FTD can overwrite the endpoint MSS values (in fact I think the default is 1380), so the idea is to make that smaller to make the packet sizes smaller. But I only want to do that for the specific tunnel, not all of them.

Is that possible from a FTD/FMC perspective to only influence the mss of a single tunnel?

Thanks!

Jacques

Re: FTD IPSec MSS

Mark Elsen — Thu, 29 Aug 2024 07:17:10 GMT

- Check if you have : FMC -> Devices -> Device management -> Interface -> MTU
(for changing MTU)

Re: FTD IPSec MSS

Marius Gunnerud — Thu, 29 Aug 2024 08:25:41 GMT

are you using crypto policy VPN or VTI route based VPN? and which software versions are you running?

Re: FTD IPSec MSS

JACQUES DU PLESSIS — Thu, 29 Aug 2024 08:31:05 GMT

Hi, we are using crypto policy. The FMC is 7.0.6.2 and the FTD is 6.4.0.18

Thanks!

Re: FTD IPSec MSS

MHM Cisco World — Thu, 29 Aug 2024 11:43:05 GMT

VPN IPsec option >ESPv3 setting > enable dont fragments policy>Df bit clear

This will make ftd clear df bit recieve if that what you looking for

MHM

Re: FTD IPSec MSS

Marius Gunnerud — Thu, 29 Aug 2024 13:03:07 GMT

DF bit is cleared by deafult, so I doubt that is the issue here.

I do not believe you can set the MTU / MSS on a per tunnel basis. it is a global configuration so that will affect all tunnels. Also, the base MTU is determined by the physical interface that the VPN is terminated on (for both policy based and route based VPN), but if all VPNs are associated with the same interface then changing the MTU on the physical interface will also affect all associated VPNs.

Re: FTD IPSec MSS

MHM Cisco World — Thu, 29 Aug 2024 13:28:31 GMT

VPN advance > ipsec > ipsec setting > PMTU

Let IKE use PMTU to adjust mss automatic

These two options I share hop solve your issue

MHM

Re: FTD IPSec MSS

MHM Cisco World — Thu, 29 Aug 2024 13:27:27 GMT

One more option (this need to use with df bit clear)

Advanced >ipsec> ipsec setting

Enable Fragment before encrypt

This make your FTD clear df bit and fragment packet before encrypt it

MHM

Re: FTD IPSec MSS

ccieexpert — Fri, 30 Aug 2024 06:35:53 GMT

df-bit clear etc may not help as if the MSS is 1380 it will never exceed the ipsec sa mtu and will never get fragmented before encryption .. the PMTUD also may get blocked etc... also return direction will have issue if other side doesnt do the same ..

I wish that you were using VTI and FTD had a option to set per interface MSS like IOS (:: wish wish 🙂

What I would suggest just lower the MTU to ~1300 or inbetween 1300 and 1380 or test where it breaks..

you may want to set df-bit and ping across the VPN to see where it fails that will give you a better idea of where to set the MSS..

1300-1380 is not going to kill stuff especially with high bandwidth internet link.. it will change for all vpns and all traffic going through the box...

i suggest you can test with ping with DFbit set across non working and working vpn to see if the non working is a bit off.. I dont think it will be off by more than a few bytes.. maybe 1360 MSS might work...