https://community.cisco.com/t5/network-security/path-mtu-discovery-broken-on-ftdv-with-pppoe-interface-6-6-amp-7/m-p/5266872#M1119846 <P>To your knowledge was this ever fixed in an update/ newer release or is the fix really simply an individual needs done manually?</P> Mon, 03 Mar 2025 17:53:43 GMT TheGoob 2025-03-03T17:53:43Z https://community.cisco.com/t5/network-security/path-mtu-discovery-broken-on-ftdv-with-pppoe-interface-6-6-amp-7/m-p/4506731#M1085290 <P>I am moving a PPPOE-based internet connection from an FTDv running 6.4.0.8-28 on ESXi to a 6.6.5-13 FTDv running on the same ESXi host. The only other difference is the old was managed by an FMC, the new is managed locally (FDM).</P><P>On the original FTD I never changed the outside interface MTU (it's at 1500). On the new FTD I tried lowering the MTU to 1452.</P><P>&nbsp;</P><P>On the old connection, Path MTU Discovery works.</P><P>Verification: I cannot ping out to the internet with a full 1500-byte packet with the DF bit set, but I have no connectivity issues (standard web browsing) because (I assume) PMTUD works and lowers my PC's transmission units to stay under what the pppoe connection supports.</P><P>&nbsp;</P><P>When I cut over to the new connection (FTDv 6.6) there are many websites that don't work. Looking at the ASP drops on the FTDv I see it dropping packets with errors stating fragmentation required but df-bit set.</P><P>To confirm the issue I hard-coded my PC MTU to 1450 and I have no problem browsing websites. As soon as I set it to 1500 I have problems. It sounds to me like PMTUD is broken when traffic flows through the new FTD.</P><P>I also tried a 7.0 FTDv with the same results.</P><P>&nbsp;</P><P>On the new connection I did a packet capture on my PC. I can see packets leaving my PC&nbsp;@ 1514 bytes. I see ICMP Destination unreachable (Fragmentation needed) packets from the firewall.</P><P>As soon as I move the connection to the old firewall, no change to the PC, I run a capture and never see a single ICMP Dest Unreachable and the max size I ever see leave the PC is 1434 bytes.</P><P>I don't get what's happening, any thoughts?</P><P>Thanks!</P> Mon, 22 Nov 2021 18:32:19 GMT https://community.cisco.com/t5/network-security/path-mtu-discovery-broken-on-ftdv-with-pppoe-interface-6-6-amp-7/m-p/4506731#M1085290 AJ Cruz 2021-11-22T18:32:19Z https://community.cisco.com/t5/network-security/path-mtu-discovery-broken-on-ftdv-with-pppoe-interface-6-6-amp-7/m-p/4506834#M1085303 <P>I think I just fixed it. I've been battling this for a couple weeks.</P><P>I just noticed the 6.4 FTD has this:</P><P>&nbsp;</P><PRE>sysopt connection tcpmss 1380 sysopt connection tcpmss minimum 0</PRE><P>And the 6.6 FTD has this:</P><PRE>sysopt connection tcpmss 0 sysopt connection tcpmss minimum 0</PRE><P>I created a flexconfig policy on the 6.6 FTD to push</P><PRE>sysopt connection tcpmss 1380</PRE><P>and it seems to be working.</P><P>&nbsp;</P> Mon, 22 Nov 2021 22:16:30 GMT https://community.cisco.com/t5/network-security/path-mtu-discovery-broken-on-ftdv-with-pppoe-interface-6-6-amp-7/m-p/4506834#M1085303 AJ Cruz 2021-11-22T22:16:30Z https://community.cisco.com/t5/network-security/path-mtu-discovery-broken-on-ftdv-with-pppoe-interface-6-6-amp-7/m-p/5266872#M1119846 <P>To your knowledge was this ever fixed in an update/ newer release or is the fix really simply an individual needs done manually?</P> Mon, 03 Mar 2025 17:53:43 GMT https://community.cisco.com/t5/network-security/path-mtu-discovery-broken-on-ftdv-with-pppoe-interface-6-6-amp-7/m-p/5266872#M1119846 TheGoob 2025-03-03T17:53:43Z