Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
403
Views
2
Helpful
4
Replies

Updating Firepower Virtual Appliance in AWS. Changed MTU on VNI !

mluszcz68
Level 1
Level 1

‎01-27-2025 10:41 AM

Hello,

I am running Firepower Virtual appliances in AWS. They are behind a GWLB and all part of a target group. The appliances were running 7.2.8 and we updated to 7.4.2. We removed an appliance from the target group, updated the software, and then put it back in the Target group and it would show up healthy. After the updates, most traffic flowing through these appliances was failing. Packet captures (on endpoints having issues) revealed full successful TCP handshakes but payloads being dropped. This led me to think it could be an MTU issue. 

When originally enabling VTEP / GENEVE on these appliances, it automatically updated the data interface MTU to 1806 that is connected to the GLWB. The VNI then in turn has an MTU of 1500. This makes sense per the below info from a Cisco doc:

"For AWS with GWLB, the data interface uses Geneve encapsulation. In this case, the entire Ethernet datagram is being encapsulated, so the new packet is larger and requires a larger MTU. You should set the source interface MTU to be the network MTU + 306 bytes. So for the standard 1500 MTU network path, the source interface MTU should be 1806."

After the update during troubleshooting, we saw the MTU on the VNI interface was 1480. You can imagine this would cause huge issues. The MTU on the data interface was still 1806. We had to update the MTU on the data interface to 1826 to fix the issue and increase the MTU on the VNI interface to 1500. 

Has anyone seen anything like this before? This caused a huge outage. 

 

0 Helpful
4 Replies 4

Sheraz.Salim
VIP Alumni
VIP Alumni

‎01-27-2025 12:59 PM

It sounds like you encountered a significant issue with MTU settings after upgrading your Firepower Virtual appliances in AWS. The scenario you described, where the MTU on the VNI interface was incorrectly set to 1480 post-upgrade, is indeed problematic and can lead to packet drops, especially when dealing with encapsulated traffic like GENEVE used by AWS GWLB.
The upgrade process might have inadvertently reset or misconfigured the MTU settings on the VNI interface. This could be pointing to bug. Since this caused a significant outage, it would be better to open a Cisco TAC case to investigate whether this is a known issue or a bug introduced in the 7.4.2 release.

please do not forget to rate.

mluszcz68
Level 1
Level 1

‎01-27-2025 01:13 PM

Thank you for the reply. I worked with Cisco TAC and they helped us resolve the issue by having us update the MTU on the data interface to 1826. Kind of wondering if anyone else has experienced something similar. I am still waiting on TAC to confirm if the MTU was changed as part of the software update like you say. I need a solid RFO on this due to scale of issue. 

0 Helpful

Sheraz.Salim
VIP Alumni
VIP Alumni
In response to mluszcz68

‎01-27-2025 01:22 PM

Thank you for the update. Do update us here if this is related to any bug in the software. Hopefully you will get the RFO on this issue with detail responce from Cisco TAC.

please do not forget to rate.

mluszcz68
Level 1
Level 1

‎02-10-2025 06:09 AM

Cisco has officially made what happened into a bug:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwo00225

0 Helpful
Review Cisco Networking for a $25 gift card
Top