MTU issues with a VPN appliance connecting through FTD

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-16-2025 07:42 AM
Hi all, I have a client PC which occasionally needs to upload large amount of data to a server at another company who we have an IPSEC VPN tunnel with. I have attached a rough drawing of this setup. We recently upgraded from an ASA to Cisco FTD appliance. Client is sitting on the internal network connected to E1/1 and the VPN appliance sits inside the DMZ. I am running into issues with the MTU. From the client, I can't ping the server with packets larger than 1379 bytes. Smaller packets have no issues getting through.
I understand IPSEC adds additional overhead which should be taken into account. In the past, on IOS routers, I have been able to configure things like path MTU, and even decreased TCP MSS down to 1360 bytes but I have no idea how to do this on the FTD. I did refer to Cisco documents and configured Flex policy where I changed the default TCPMSS on the FTD to 1360 however client is still having issues. What am I doing wrong? Please advise. Thank you for your support.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-16-2025 09:22 AM
Version? Platform? FMC or FDM?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-16-2025 09:40 AM
Version 7.4.2.1 of FTD. Running FMC version 7.4.2.1
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-18-2025 05:53 AM
Each VPN have it PMTU to dynamically adjust the MTU
the config of PMTU you can find in IPsec setting
Advanced > IPsec > IPsec Settings
- Enable Fragmentation Before Encryption
- This option lets traffic travel across NAT devices that don’t support IP fragmentation. It doesn’t impede the operation of NAT devices that do support IP fragmentation.
- Path Maximum Transmission Unit Aging
- Check to enable Path Maximum Transmission Unit (PMTU) Aging, the interval to reset the PMTU of a Security Association (SA).
- Value Reset Interval
- Enter the number of minutes at which the PMTU value of an SA is reset to its original value. Valid range is 10 to 30 minutes, default is unlimited.
