The MTU for the SD-WAN logical interfaces is recalculated after a config push from Panorama or local commit
3407
Created On 07/25/22 14:33 PM - Last Modified 06/13/24 21:39 PM
Symptom
- The MTU for sdwan interfaces should be 1500 for ethernet interfaces members and 1432 for tunnel interfaces members:
admin@PA-VM> show interface sdwan.901 | match SD-WAN
SD-WAN interface members: ethernet1/4,ethernet1/5
admin@PA-VM> show interface sdwan.901 | match MTU
Interface MTU 1500
admin@PA-VM> show interface sdwan.902 | match SD-WAN
SD-WAN interface members: tunnel.900,tunnel.901,tunnel.902,tunnel.903
admin@PA-VM> show interface sdwan.902 | match MTU
Interface MTU 1432
- This gets modified when performing a config push from Panorama to a managed Palo Alto Networks Firewall or local commit.
- The MTU for both tunnel and ethernet interface is recalculated to 1500 bytes.
admin@PA-VM> show interface sdwan.901 | match MTU
Interface MTU 1500
admin@PA-VM> show interface sdwan.902 | match MTU
Interface MTU 1500Environment
- Palo Alto Firewalls (VM and hardware)
- PAN-OS 9.1 and later
- SDWAN
Cause
The MTU was recalculated after a local commit or config push from Panorama.
Resolution
- The issue is fixed under PAN-194406 and addressed in 10.1.7 and 10.2.3 releases
- Upgrade should resolve the issue.
- The workaround is to clear the IPSec tunnels.
- Once cleared the MTU is recalculated as 1432 for the tunnel interfaces.
admin@PA-VM> clear vpn ipsec-sa tunnel tl_0104_007051000184927_0104
Clear IPSec SA for tunnel tl_0104_007051000184927_0104: 0 IKEv1 SA, 1 IKEv2 SA.
...
(clear all tunnels)
admin@PA-VM> show interface sdwan.901 | match MTU
Interface MTU 1500
admin@PA-VM> show interface sdwan.902 | match MTU
Interface MTU 1432