This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Issue of MSS on IPSEC VPN

I have SG devices on the Head office and branch office. And two devices are connected using IPSEC VPN tunnel.
All traffic including internet traffic from the branch office is going out through Head office. That means IPSEC VPN full tunnel.

There was no problem when clients on the branch office need to access in-house applications through the IPSEC VPN tunnel.
But, if clients on the branch office try to access internet like the google.com or yahoo.com through IPSec VPN tunnel, the web page doesn't show completely. (and some web page couldn't access)

I thought that it is a fragmentation issue because the traffic need to add an overhead related to IPSEC header when the traffic go through IPSEC VPN.
So, i changed the MTU size (1200, 1300 and 1400) on WAN interfac of Head office.

And sophos also recommends to change the MTU to fix this issue like the below article.
community.sophos.com/.../121296

But the issue was not fixed.


I found the below article in the sophos community.
community.sophos.com/.../202291

And I applied below command according to the above article.

iptables -I FORWARD 1 -o -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1320

My issue was fixed after applied the iptable command and client can access all web page through out IPSEC VPN tunnel without any issues.


I thought that If i change the MTU size, MSS also should changed according to the changed MTU. (because of MTU = MSS + IP header + TCP header)
But the changed MTU only was not fixed the issue.

 

I am really curious that why change MTU is not fix this issue.

It would be much appreciated, if anyone help me to resolve my curious.



This thread was automatically locked due to age.
Parents
  • Hi,

     

    we are facing the same problem. So my question is:

    Did you only change MSS to 1320 or did you also change the MTU Size of the WAN interface in your Head Office ? And to what size ?

    And where did you change MSS ? Head Office, Branch Office or both ?

     

    Thanks,

    Ralph

Reply
  • Hi,

     

    we are facing the same problem. So my question is:

    Did you only change MSS to 1320 or did you also change the MTU Size of the WAN interface in your Head Office ? And to what size ?

    And where did you change MSS ? Head Office, Branch Office or both ?

     

    Thanks,

    Ralph

Children
  • Hello Ralph, 


    I just added below command and issue was fixed.
    iptables -I FORWARD 1 -o -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1320

    But the problem is that if it will occur for a firmware update or reboot, the above command will be disappeared.
    So, it needs to add the command again after firmware update or reboot.

    In the view of administrator, it is very uncomfortable and it is not good way.


    To fix this issue, we proposed a XG appliance instead of SG.
    XG appliance is possible to edit both MTU and MSS on the WEB UI.

     

    Thanks,