I have SG devices on the Head office and branch office. And two devices are connected using IPSEC VPN tunnel. All traffic including internet traffic from the branch office is going out through Head office. That means IPSEC VPN full tunnel.
There was no problem when clients on the branch office need to access in-house applications through the IPSEC VPN tunnel.But, if clients on the branch office try to access internet like the google.com or yahoo.com through IPSec VPN tunnel, the web page doesn't show completely. (and some web page couldn't access)
I thought that it is a fragmentation issue because the traffic need to add an overhead related to IPSEC header when the traffic go through IPSEC VPN. So, i changed the MTU size (1200, 1300 and 1400) on WAN interfac of Head office.
And sophos also recommends to change the MTU to fix this issue like the below article. community.sophos.com/.../121296
But the issue was not fixed.
I found the below article in the sophos community. community.sophos.com/.../202291
And I applied below command according to the above article.
iptables -I FORWARD 1 -o -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1320
My issue was fixed after applied the iptable command and client can access all web page through out IPSEC VPN tunnel without any issues.
I thought that If i change the MTU size, MSS also should changed according to the changed MTU. (because of MTU = MSS + IP header + TCP header)But the changed MTU only was not fixed the issue.
I am really curious that why change MTU is not fix this issue.
It would be much appreciated, if anyone help me to resolve my curious.
I'm curious, did you try selecting 'Support path MTU discovery' in the 'Advanced' section of the Remote Gateway? I know we went over this several years ago, so I had hoped the developers would have fixed that.
Cheers - Bob
Yes, I already enabled the option to discover MTU value.
The problem is the option to discover MTU size looks not working because some destinations are not allow all icmp.
That means it is impossible to discover MTU when negotiate the MTU at the initiation session.
So, i think that the clients might be possible to received a response packet as 1500 bytes from a server.
In my understanding, some of our competitors can support to edit both MTU and MSS.But Sophos SG or XG is not provide to change a MSS vaule at the WEB UI.
Please vote for and comment on option to manage MSS-Size.
we are facing the same problem. So my question is:
Did you only change MSS to 1320 or did you also change the MTU Size of the WAN interface in your Head Office ? And to what size ?
And where did you change MSS ? Head Office, Branch Office or both ?
I just added below command and issue was fixed. iptables -I FORWARD 1 -o -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1320
But the problem is that if it will occur for a firmware update or reboot, the above command will be disappeared. So, it needs to add the command again after firmware update or reboot.
In the view of administrator, it is very uncomfortable and it is not good way.
To fix this issue, we proposed a XG appliance instead of SG.XG appliance is possible to edit both MTU and MSS on the WEB UI.