Sophos XGS v19: Strange behaviour over IPSec VPN (Sophos Connect)

Hey folks,

I am currently implementing a new Sophos XGS at a customers site and have some strange effects while using the IPSec VPN through Sophos Connect (have not tested any other).

When brwosing the web, some sites are not accessible (no loading and connection error after some time). While viewing some dumps I came across the fact, that the Firewall sents out ICMP fragmentation messages to the Webserver, as the response packages where too large.

So far so good, but now comes the tricky part. The IPSec interface of the Sophos Connect client has a MTU of 1400 set (default), so each client connection sends out a MSS of 1360. Everything normal until now! The ipsec0 interface of the Sophos XGS has a MTU of 1387 set, which makes no sense to me and might be the problem for the fragmentation messages, as they were sent by the firewall not my client.

Can someone explain this to me? Is this a bug, or what am I not getting here? Slight smile


Added TAGs
[edited by: emmosophos at 9:42 PM (GMT -7) on 23 Jun 2022]