The Difference Between Interface MTU and Tunnel MTU Output

The Difference Between Interface MTU and Tunnel MTU Output

65319
Created On 09/25/18 19:24 PM - Last Modified 06/07/23 20:29 PM


Resolution


Symptom

When running the command show interface tunnel.X, the user sees the interface MTU 1500 bytes.

admin@PA-5050> show interface tunnel.1

--------------------------------------------------------------------------------

Name: tunnel.1, ID: 266

Operation mode: layer3

Virtual router default

Interface MTU 1500

 

Checking the output of the command show vpn flow tunnel-id X the MTU value is different.

admin@PA-5050> show vpn flow tunnel-id 1

tunnel  linux:a1

        id:                     1

        type:                   IPSec

        tunnel mtu:             1448

 

Cause

Even though there is a different value between the outputs, the firewall shows a correct value in both cases. The first command displays the MTU value together with the headers and trailers, while the second output displays a MTU value of only the data payload without any headers and trailers.

 

If ESP tunnel mode, the VPN tunnel MTU will be the data payload plus:

  • 20 bytes IPsec header (tunnel mode)
  • 4 bytes SPI (ESP header)
  • 4 bytes Sequence (ESP Header)
  • 8 byte IV (IOS ESP-DES/3DES)
  • 2 byte pad (ESP-DES/3DES 64 bit)
  • 1 byte Pad length (ESP Trailer)
  • 1 byte Next Header (ESP Trailer)
  • 12 bytes ESP MD5 96 digest

For a total size of 52 bytes. Adding this value to the reported 1448, sums to a total value of 1500 MTU, which is the interface configured MTU.

 

owner: aciobanu
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXTCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language