Skip to main content
gbollinger
gbollinger
New Member
November 20, 2022
Question

TCP MSS - Apply to Interface or Policy

  • November 20, 2022
  • 3 replies
  • 20304 views

Should I apply the tcp mss / tcp sender or receiver commands to the interface or policy or both?

 

What is best practice?

3 replies

gfleming
Staff
gfleming
Staff
November 20, 2022

What are you trying to accomplish?

gbollinger
gbollingerAuthor
New Member
November 21, 2022

I'm trying to limit packet fragmentation (TCP and UDP) for traffic originating from behind the FW and for the VPNs (SSL and IPSEC) logically connecting to it. I'm not sure whether its best to apply the TSP MSS size adjustment on the FW interfaces or Policies or both and whether lowering the WAN/VPN Tunnel interfaces to a lower MTU with PMTU discovery enabled on the FW. 

gfleming
Staff
gfleming
Staff
November 21, 2022

So you need to determine why you are getting fragmentation in the first place and address it in the correct spot. If all traffic is fragmented you likely need a more global setting like on your WAN interface. If it's just VPN traffic then setting mtu and mss on the VPN interfaces would be ideal and all you need to do. Setting it at the policy level works but doesn't work when people forget to set it when creating new policies, for example. It also only works for mss and not mtu (so non-TCP traffic may still get fragmented).

 

Some more reading here: https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/596096/interface-mtu-packet-size

gbollinger
gbollingerAuthor
New Member
November 23, 2022

The true area of concern is the IPSEC VPN. Do you recommend setting both TCP MSS to 1360 and MTU to 1400 at the virtual interface and the appropriate policies? This way all the tunnel and all UDP or TCP traffic within it are not fragmented? Leave the WAN interface at MTU 1500 and all other MSS as normal for all other traffic?

luchobas
luchobas
New Member
July 1, 2023

I know this topic is old, but I have a question regarding applying MSS to a physical interface of an MPLS link. Is it necessary to disable and enable the interface after applying the MSS, or should it take effect automatically? Version 6.4.13.

 

Thanks! 

Terms & ConditionsAccessibility statement