When to adjust MTU size on the management interface on Palo Alto firewall

Adjust the MTU packet size to resolve fragmentation issue (router with DF set) along the traffic path between the client and server (firewall management interface).

• Palo Alto Networks Firewall.
• Supported PAN-OS.
  
  
  Example scenario:
  
  Customer unable to access firewall web (https) management interface from the admin subnet. They can ping and SSH successfully to the firewalls management interface.
  
  After taking the pcap from a middle firewall which serves customer management firewall, it was observed the Client Hello was being received and sent by the firewall, however no return traffic for Server Hello packet was received. Also noted, the Client Hello were sent as fragmented packets (with DF set) from the client via downstream device.

Rx stage:

- Packet #167, #168 are the Client Hello. Image taken only from #168 to show reassembled segments and IP header flag with "Don't fragment: Set". 

 

Tx stage: 
- We can see the same client hello being sent by the firewall to the untrust interface, however after this packet, the firewall does not receive the Server Hello certificate which gets dropped on the uplink devices connected to the untrust interface. 

 

Based on the above pcaps, it is suspected the upstream device could be dropping the response packet due to its packet size. 

To further validate and find the optimal MTU size on the upstream, an ICMP ping test with the DF (Don't fragment) bit set can run using the firewall we need to access as the destination.

From the Rx.pcap above, #168 you can see the total length was 1434 bytes which means this is the optimal MTU size can be traverse the upstream device with the DF set. Above this size the ICMP test will fail or will not return an ICMP reply.

>ping -f -l 1434 10.1.144.162

Pinging 10.1.144.162 with 996 bytes of data:
Reply from 10.1.144.162: bytes=996 time=20ms TTL=117
Reply from 10.1.144.162: bytes=996 time=20ms TTL=117
Reply from 10.1.144.162: bytes=996 time=19ms TTL=117
Reply from 10.1.144.162: bytes=996 time=18ms TTL=117

>ping -f -l 1450 10.1.144.162
no response.

Once the MTU size is determine, lower the MTU size on the management interface of the firewall to 1400 bytes resolve the issue. 


Commit the change on the firewall. 

Alternatively, this can also be configured via command line of the firewall.

> configure
Entering configuration mode
[edit]

# set deviceconfig system mtu 1400
[edit]

# commit
# exit 

Palo Alto firewalls default MTU size is 1500 bytes for ethernet interfaces without Jumbo Frames enabled. The 1500 MTU size is also most common value on the internet. 

With MTU of 1500 bytes for ethernet.
- This means payload will be 1460 bytes (1500 minus 20 bytes for TCP header and 20 bytes for IP header)