Palo Alto Networks Knowledgebase: How to Improve Performance for IPSec Traffic

How to Improve Performance for IPSec Traffic

4783
Created On 09/25/18 19:48 PM - Last Updated 09/25/18 23:09 PM
VPNs
Resolution

Overview

This document is intended to help improve performance for IPSec traffic. 

 

Details

Traffic to be tunneled will generally add 36 bytes to the original size of the packet because of the ESP header.

One thing to keep in mind, depending on the encryption algorithm used, the ESP header may vary in size. 

Note: If the MTU on a device is hard set using this info (36 bytes) it is possible for the tunnel to fail and break any path MTU algorithm. Which is why we recommend the resolution below.

 

Cause

For example, if the original packet size is greater than 1464 bytes, the resulting tunneled packet ends up to be larger than 1500 bytes, causing slowness and sluggishness between IPSEC peers because if packet fragmentation.

 

Resolution

Enabling the option "Adjust TCP MSS" to automatically adjust MSS on the interface terminating the tunnel will resolve that issue by adjusting the MTU to compensate for the extra encapsulation.

 

owner: kadak

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cle1CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language