Palo Alto Networks Knowledgebase: How to Improve Performance for IPSec Traffic
How to Improve Performance for IPSec Traffic
Created On 09/25/18 19:48 PM - Last Updated 09/25/18 23:09 PM
This document is intended to help improve performance for IPSec traffic.
Traffic to be tunneled will generally add 36 bytes to the original size of the packet because of the ESP header.
One thing to keep in mind, depending on the encryption algorithm used, the ESP header may vary in size.
Note: If the MTU on a device is hard set using this info (36 bytes) it is possible for the tunnel to fail and break any path MTU algorithm. Which is why we recommend the resolution below.
For example, if the original packet size is greater than 1464 bytes, the resulting tunneled packet ends up to be larger than 1500 bytes, causing slowness and sluggishness between IPSEC peers because if packet fragmentation.
Enabling the option "Adjust TCP MSS" to automatically adjust MSS on the interface terminating the tunnel will resolve that issue by adjusting the MTU to compensate for the extra encapsulation.