Re: FTD IPSec MSS

JACQUES DU PLESSIS · ‎08-29-2024

Hi Guys,

We have a FTD terminating a few IPSec tunnels. One of them are having connectivity issues with larger packets so we suspect that there is a smaller MTU set somewhere towards the destination. As far as I know the FTD can overwrite the endpoint MSS values (in fact I think the default is 1380), so the idea is to make that smaller to make the packet sizes smaller. But I only want to do that for the specific tunnel, not all of them.

Is that possible from a FTD/FMC perspective to only influence the mss of a single tunnel?

Thanks!

Jacques

marce1000 · ‎08-29-2024

- Check if you have : FMC -> Devices -> Device management -> Interface -> MTU
(for changing MTU)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Marius Gunnerud · ‎08-29-2024

are you using crypto policy VPN or VTI route based VPN? and which software versions are you running?

--
Please remember to select a correct answer and rate helpful posts

JACQUES DU PLESSIS · ‎08-29-2024

Hi, we are using crypto policy. The FMC is 7.0.6.2 and the FTD is 6.4.0.18

Thanks!

MHM Cisco World · ‎08-29-2024

VPN IPsec option >ESPv3 setting > enable dont fragments policy>Df bit clear

This will make ftd clear df bit recieve if that what you looking for

MHM

MHM Cisco World · ‎08-29-2024

VPN advance > ipsec > ipsec setting > PMTU

Let IKE use PMTU to adjust mss automatic

These two options I share hop solve your issue

MHM

MHM Cisco World · ‎08-29-2024

One more option (this need to use with df bit clear)

Advanced >ipsec> ipsec setting

Enable Fragment before encrypt

This make your FTD clear df bit and fragment packet before encrypt it

MHM

Marius Gunnerud · ‎08-29-2024

DF bit is cleared by deafult, so I doubt that is the issue here.

I do not believe you can set the MTU / MSS on a per tunnel basis. it is a global configuration so that will affect all tunnels. Also, the base MTU is determined by the physical interface that the VPN is terminated on (for both policy based and route based VPN), but if all VPNs are associated with the same interface then changing the MTU on the physical interface will also affect all associated VPNs.

--
Please remember to select a correct answer and rate helpful posts

ccieexpert · ‎08-29-2024

df-bit clear etc may not help as if the MSS is 1380 it will never exceed the ipsec sa mtu and will never get fragmented before encryption .. the PMTUD also may get blocked etc... also return direction will have issue if other side doesnt do the same ..

I wish that you were using VTI and FTD had a option to set per interface MSS like IOS (:: wish wish

What I would suggest just lower the MTU to ~1300 or inbetween 1300 and 1380 or test where it breaks..

you may want to set df-bit and ping across the VPN to see where it fails that will give you a better idea of where to set the MSS..

1300-1380 is not going to kill stuff especially with high bandwidth internet link.. it will change for all vpns and all traffic going through the box...

i suggest you can test with ping with DFbit set across non working and working vpn to see if the non working is a bit off.. I dont think it will be off by more than a few bytes.. maybe 1360 MSS might work...