Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: MSS Clamping and IPsec Acceleration

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Overview

This Recommended Read was created to highlight a new KB that can help solve IPsec issues without disabling IPsec acceleration.

Symptom

  • TCP connections may fail or timeout.
  • Endpoints experience connectivity problems to certain servers on the internet for IPsec remote access connections.

Cause

The problem with the ICMP-dependent approach for PMTUD described is that it does not work if there are any network elements in the path that don’t generate the "ICMP Fragmentation Needed" message as needed or blocks such a message generated by another network element due to whatever reason, including security.

With SFOS 19.0, for IPsec remote access connections, this general PMTUD issue has been exacerbated further with the introduction of the IPsec acceleration feature, as the MTU on the virtual ipsec0 tunnel interface is reduced to the minimum MTU of the WAN interfaces configured on the appliance, due to another limitation related to the interaction between the DPIE on the host and the FastPath on the NPU.

 Resolution

The following are the available workarounds:
 

Configure MSS clamping

Configure MSS clamping for all TCP connections going through IPsec tunnels using iptables rules. The MSS value that needs to be configured on the ipsec0 tunnel interface is computed using the following formula:

mss = min(MTU of all WAN interfaces) - (ipsec overhead + ip_overhead + TCP overhead)

Assuming AES-256 with SHA1:
 

  • ipsec overhead = 73 bytes
  • ip_overhead = 20 for ipv4
  • tcp overhead = 60 bytes

Assuming the minimum WAN MTU on the appliance to be 1500, the MSS value needs to be configured to 1347:

mss = 1500 - (73 + 20 + 60)

And similarly, with ip_overhead for ipv6 being 40 bytes, the MSS value would be 1327:

mss = 1500 - (73 + 40 + 60)

MSS can be configured using the iptables or ip6tables commands via Advanced Shell and using the following rules:
 

  • iptables -t mangle -A POSTROUTING -o ipsec0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1347
  • ip6tables -t mangle -A POSTROUTING -o ipsec0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1327

Note that the iptables configuration above is not persistent across restarts, so one would have to add those commands every time the firewall is restarted for whatever reason. With 19.5 MR1, this configuration is added automatically during initialization.
 

Turn off IPsec Acceleration

Follow the steps described on the IPsec acceleration documentation page to turn off IPsec acceleration. This isn’t the desired option as it prevents the user from taking advantage of the processing power of NPU, which can offload traffic processing.
 

Configure a small value for MTU

This is the least feasible option for the administered endpoints in the network. Configure MTU to a reasonably small value that will avoid the need for fragmentation in the network.

KB

https://support.sophos.com/support/s/article/KBA-000009673?language=en_US

Note: For any updates about this Recommended Read, always check the KB




Edited KB Link
[edited by: emmosophos at 11:08 PM (GMT -8) on 23 Dec 2024]
  • It is not clear from the above wording whether this command persists a reboot.  Also, what is the command to display the current setting? Lastly, what is the difference between this setting and the "Override MSS" option in the UI on each xfrm# interface?

  • Hello there,

    Thank you for contacting the Sophos Community.

    If you are running any version below 19.5 MR1 you would need to add that command every time there’s a reboot. If you’re on 19.5 MR1 or above this setting is automatically added during initialization, as the note states.

    You can display the current setting by entering the following command in the advanced shell:

    # iptables -nvxL -t mangle | grep ipsec

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Just noticed that it looks like I have multiple entries now for this.  

    XGS116_XN02_SFOS 19.5.2 MR-2-Build624# iptables -nvxL -t mangle | grep ipsec
    0 0 TCPMSS tcp -- * ipsec0 0.0.0.0/0 0.0.0.0/0 - tcp flags:0x06/0x02 TCPMSS set 1320
    0 0 TCPMSS tcp -- * ipsec0 0.0.0.0/0 0.0.0.0/0 - tcp flags:0x06/0x02 TCPMSS set 1320
    0 0 TCPMSS tcp -- ipsec0 * 0.0.0.0/0 0.0.0.0/0 - tcp flags:0x06/0x02 TCPMSS set 1327
    0 0 TCPMSS tcp -- * ipsec0 0.0.0.0/0 0.0.0.0/0 - tcp flags:0x06/0x02 TCPMSS set 1327
    XGS116_XN02_SFOS 19.5.2 MR-2-Build624#

    How do you reset to defaults?

  • Hello there,

    To delete an entry from the IPtable you need to use the switch -D

    # iptables -t mangle -D POSTROUTING -o ipsec0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1347

    Just make sure 

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hello everyone, I have had a similar issue and the support solution was to change the MSS to 1300 only for networks that are in IPsec.

    ptables -t mangle -I POSTROUTING -d 192.190.4.121/32 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1300;
    iptables -t mangle -I POSTROUTING -s 192.190.4.121/32 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1300;

    Regards