This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Issue of MSS on IPSEC VPN

I have SG devices on the Head office and branch office. And two devices are connected using IPSEC VPN tunnel.
All traffic including internet traffic from the branch office is going out through Head office. That means IPSEC VPN full tunnel.

There was no problem when clients on the branch office need to access in-house applications through the IPSEC VPN tunnel.
But, if clients on the branch office try to access internet like the google.com or yahoo.com through IPSec VPN tunnel, the web page doesn't show completely. (and some web page couldn't access)

I thought that it is a fragmentation issue because the traffic need to add an overhead related to IPSEC header when the traffic go through IPSEC VPN.
So, i changed the MTU size (1200, 1300 and 1400) on WAN interfac of Head office.

And sophos also recommends to change the MTU to fix this issue like the below article.
community.sophos.com/.../121296

But the issue was not fixed.


I found the below article in the sophos community.
community.sophos.com/.../202291

And I applied below command according to the above article.

iptables -I FORWARD 1 -o -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1320

My issue was fixed after applied the iptable command and client can access all web page through out IPSEC VPN tunnel without any issues.


I thought that If i change the MTU size, MSS also should changed according to the changed MTU. (because of MTU = MSS + IP header + TCP header)
But the changed MTU only was not fixed the issue.

 

I am really curious that why change MTU is not fix this issue.

It would be much appreciated, if anyone help me to resolve my curious.



This thread was automatically locked due to age.
Parents
  • I'm curious, did you try selecting 'Support path MTU discovery' in the 'Advanced' section of the Remote Gateway?  I know we went over this several years ago, so I had hoped the developers would have fixed that.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • I'm curious, did you try selecting 'Support path MTU discovery' in the 'Advanced' section of the Remote Gateway?  I know we went over this several years ago, so I had hoped the developers would have fixed that.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Yes, I already enabled the option to discover MTU value.

    The problem is the option to discover MTU size looks not working because some destinations are not allow all icmp.

    That means it is impossible to discover MTU when negotiate the MTU at the initiation session. 

    So, i think that the clients might be possible to received a response packet as 1500 bytes from a server.

    In my understanding, some of our competitors can support to edit both MTU and MSS.
    But Sophos SG or XG is not provide to change a MSS vaule at the WEB UI.

     

  • Please vote for and comment on option to manage MSS-Size.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA