Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
How does the PaloAlto Firewall handle packets that exceed the M... - Knowledge Base - Palo Alto Networks

How does the PaloAlto Firewall handle packets that exceed the MTU

52968
Created On 09/25/18 18:50 PM - Last Modified 11/20/24 21:43 PM


Question


How does the PaloAlto Firewall handle packets that exceed the MTU?



Environment


  • Palo Alto Firewalls
  • Supported PAN-OS


Answer


  1. When a packet larger than the configured MTU (Maximum Transmission Unit) is received, and the DF (Don't Fragment) IP option is set, the firewall drops the packet and returns an ICMP "frag-needed" message, notifying the sender that a smaller MTU is needed. For more info Refer Scenario A in How the Palo Alto Networks Firewall Manages Fragmented Traffic.
  2. The sender's TCP/IP stack should be capable of responding with smaller packets. However, certain devices block these ICMP messages, causing the sender to resend the oversized packet.
  3. To avoid this situation in an IPSEC VPN tunnel, change the MTU/MSS (Maximum Segment Size) on the network devices that terminate the tunnel. When a packet passes through an IPSec tunnel that terminates on a Palo Alto Networks firewall, the firewall automatically changes the MSS value for the TCP handshake to alleviate such a situation.
  4. If a dynamic routing protocol, such as RIP or OSPF, is employed on the firewall, verify that the MTU used is not smaller than the MTU configured on the interface with the following command:
    > show routing fib
    
    total virtual-router shown :              1
    -------------------------------------------------------------------------------
    virtual-router name: VR1
    interfaces: ethernet1/3 ethernet1/4 tunnel.1
    route table:
    flags: u - up, h - host, g - gateway
    -------------------------------------------------------------------------------
    maximum of fib entries for device:                 1250
    number of fib entries for device:                  6
    maximum of this entries for this fib:              1250
    number of fib entries for this fib:                6
    number of fib entries shown:                       6
    -------------------------------------------------------------------------------
    id      destination           nexthop            flags  interface          mtu
    -------------------------------------------------------------------------------
    4       0.0.0.0/0             10.30.14.254       ug     ethernet1/3        1500
    3       10.30.14.0/24         0.0.0.0            u      ethernet1/3        1500
    2       10.30.14.145/32       0.0.0.0            uh     ethernet1/3        1500

     



Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClQzCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language