cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
974
Views
5
Helpful
22
Replies

Route Based S2S IPSEC Slow/Missing Packets?

rtarson98
Level 1
Level 1

So I have a PTP S2S IPSEC tunnel created for a location I was able to get the connection up I can ping all the Endpoints in the route okay on both sides. However I noticed connecting to RDP or doing SMB it was SLLLOOOOOW. Or just disconnected due to timeout. I thought maybe it was the DNS. But the dns was reaching but noticed that was having a delay in name resolution. 

So then I got down the rabithole of inspecting the packets and doing ping with packet size. I tried with paramters -f and -l. I tested what my largest acceptable packet over IPSEC and noticed that it taps out around 1410. On my FTD the WAN that is connecting the Firepower/Tunnel is set at a MTU of 1500. The extranet device has MSS Clamping with TCP Connection Segment size of 1452 and the MTU is 1500. 

I have a feeling it all has to do with the MTU from my readings but if someone thinks other wise I am all ears.

Now to fix Is this something I have to do via the Flexconfig to fix? I read something about adding sysopt_basic. However it looks like it will size all tcp traffic, should I configure to only to size the IPSEC routes only? Also what is the recommended MSS TCP segment size for MTU of 1500 over IPSEC?