MTU and MSS bug?

Why do I get this error when I try to configure it like this

This is a standard configuration for PPPOE networks


« TCP Analyzer Results »
Tested on: 2019.08.06 07:14
IP address:
Client OS/browser: Windows 10 (Firefox 68.0)
TCP options string: 020405ac0103030801010402
MSS: 1452
MTU: 1492
TCP Window: 262656 (not multiple of MSS)
RWIN Scaling: 8 bits (2^8=256)
Unscaled RWIN : 1026
Recommended RWINs: 63888, 127776, 255552, 511104, 1022208
BDP limit (200ms): 10506kbps (1313KBytes/s)
BDP limit (500ms): 4202kbps (525KBytes/s)
MTU Discovery: ON
TTL: 112
Timestamps: OFF
IP ToS: 00100000 (32)
    Precedence: 001 (priority)
    Delay: 0 (normal delay)
    Throughput: 0 (normal throughput)
    Reliability: 0 (normal reliability)
    Cost: 0 (normal cost)
    Check bit: 0 (correct)
DSCP (DiffServ): CS1 001000 (8) - class 1 (RFC 2474). Similar forwarding behavior to the ToS Precedence field.

  • Hi  

    As you are trying to configure PPPoE connection it will add 8 bytes into 40bytes difference in MSS.

     mss = tcp-mss which is actually = MTU - 40 (20 Byte for TCP + 20 Byte IP)

     so mss will be = 1460 if you have a MTU of 1500 

    The maximum MTU for Ethernet connections on devices is 1500 bytes (Ethernet maximum MTU size).  Having an MTU of 1500 allows for 1460 bytes of data payload, 20 bytes of TCP header, and 20 bytes of IP header. With PPPoE connections, the PPP and PPPoE header increases the frame size by 8 bytes, so we must lower the MTU to 1492. With the Ethernet header added to this, we get a frame size of 1518 bytes.

  • In reply to Keyur:

    mss = tcp-mss which is actually = MTU - 40 (20 Byte for TCP + 20 Byte IP)


    This is absolutely correct, but the PPPOE-header of 8 bytes gets subtracted from both MTU and MSS, thus still leaving a difference of 40. 48 makes no sense to me at all.

  • In reply to donald2612:

    I think is wrongly implemented in Sophos XG, it should be fixed.

    Sophos engineers didn't understood how to implement this properly


     please report this bug internally, the difference must be 40, not 48

  • In reply to l0rdraiden:


    When you lower the size for MTU i.e 1492 it is not subtracting anything for PPPoE, MSS should be 48 bytes less than MTU size while configuration. If the MTU value is 1500 than MSS for PPPoE configuration should be 1452 in the XG configuration.

  • In reply to Keyur:

    Sorry but you are wrong

    Read this


    The router of my ISP works with this, I have check another ISP in my country and they use the same. Both under PPPoE

    MSS: 1452
    MTU: 1492

    MSS is MTU mins 40. And that's it. Please report the bug, it's either a bug or you don't undertand the definition of the terms. If the difference must be 48 then MTU is not MTU or MSS is not MSS and are something else.

  • In reply to l0rdraiden:

    You should open a Bug with the Sophos Support to get this reported. 

  • In reply to LuCar Toni:

    No, you, as an employee of your company should open a bug report, that somebody in the community found a bug. And be grateful for it.

    I hate it, when basic principles get lost in too fast growing companies...


    My company is in need of a new fw-solution, so I wander the forums before I choose. Do you think that this type of incompetent advice(s) are a good mind changer?


    It's about only a small engineering problem, where an employee should show knowledge and if not given, get pro-active help activated.


    I still think your UTM-project has matured, your XG-team has failed to develop this product, what kind of this threads show. Learn, implement and show sovereignty, that should be your credo. But it's hire and fire, leave and forget, I guess. Good luck!



  • In reply to donald2612:


    for LuCar to create a bug report he needs your serial number which he does not have or you can create it and provide a little priority to it eg it is affecting your business with some application failing to connect because of MTU size.


  • In reply to l0rdraiden:


    I am working with the concern team about the reported issue and will inform you further with required details.

  • In reply to rfcat_vk:

    Helo Everyone, 

     Allow me to clarify the confusion in this thread. 

    While dealing with MTU and MSS value of any normal interface type, such as Static and DHCP then the MTU default would be 1500 and MSS value would be 1500-40=1460 value. 

    This is different in PPPOE case, we would need an additional 8 byte PPPoE i..e PPP-Max-Payload field and needs an additional 8 bytes and truncates the Ethernet MTU to 1492 and the value for MSS is 1452. 


    Difference between Ethernet MTU and IP MTU. 

    Ethernet MTU.

    The main difference is interface MTU defined max packet size supported by an interface, while IP MTU is used to set MTU size of IP PACKET. Each interface has a default maximum packet size or MTU size. This number generally defaults to the largest size possible for that interface type.


    To set the maximum transmission unit (MTU) size of IP packets sent on an interface. The minimum is 128 bytes; the maximum depends on the interface medium.

     Changing the MTU value (with the MTU interface configuration command) can affect the IP MTU value. If the current IP MTU value is the same as the MTU value, and you change the MTU value, the IP MTU value will be modified automatically to match the new MTU. However, the reverse is not true; changing the IP MTU value has no effect on the value for the MTU command.

    "The Maximum-Receive-Unit (MRU) option MUST NOT be negotiated to a larger size than 1492. Since Ethernet has a maximum payload size of 1500 octets, the PPPoE header is 6 octets and the PPP Protocol ID is 2 octets, the PPP MTU MUST NOT be greater than 1492." -> Taken from RFC 2516




    1. Interface MTU - default MTU size for an interface:

    For PPPOE connection Ethernet MTU  = IP MTU + 8. 8 bytes for overhead

    For Normal Connection Ethernet MTU  = IP MTU.

    Mss value = IP MTU - 40.

    So the difference between ethernet MTU and MSS value is 48, not 40. 

    In the screenshot mentioned above, the Ethernet MTU was set as 1492, so we would need an additional 48 bytes for overhead. 

  • In reply to Aditya Patel:

    This is a perfect post!

    Just migrated from UTM to XG

    I have been having DSL PPPoE WAN connections disconnecting every couple of hours since migrating

    I have set my my MSS to 1412 and MTU to 1492

    I am going to be performing some testing and will advise this post