Let's say the default system MTU is 1500, and there is no explicit value configured on the tunnel interface, we can see different auto-adjusted values for the tunnels depending on the cipher used (in this case IPSec, AES-CBC and AES-GCM) > show interface tunnel.2 We can see the auto-adjusted MTU value after GlobalProtect tunnel establishes by looking at the output of show global-protect-gateway flow tunnel-id CLI command. Note that the auto-adjustment happens only if we don't have explicit MTU value configured on the tunnel interface (if that is the case, explicit value is used for each tunnel, regardless of negotiated tunnel type/cipher). explicit MTU value configured on the Tunnel Interface (if configured). Maximum of frame size excluding Ethernet header: 1500 default platform MTU value or > show interface tunnel.2 Note that the show interface tunnel. CLI command shows either: This in turn affects MSS (Maximum Segment Size) TCP option advertised across the tunnel. In order to accommodate additional overhead tunnel interface attached to the GlobalProtect Gateway, the configuration automatically adjusts MTU value based on the tunnel type (IPSec vs SSL) and cipher used. For example, when using AES_256_GCM_SHA384, overhead consists of: Header / Trailer This is especially visible for inner tunnel TCP based transfers (HTTP, HTTPS, FTP, SMB, etc.), as we have separate, out-of-sync flow controls for inner and outer tunnel flows.Īdded overhead depends on the cipher suite used and padding. The main reason is that the outer SSL tunnel is TCP-based and has flow control (unlike UDP encapsulated IPSec tunnel). This is not just because SSL tunnels are adding a bit more overhead. Note: IPSec tunnel is preferred from a performance perspective. GlobalProtect can use SSL-based tunnel as well, which adds its own overhead. For AES-GCM (Galois/Counter Mode) cipher: Header / Trailer For AES-CBC (Cipher Block Chaining) cipher, we have the following overhead size: Header / TrailerĮxample of decrypted packet in Wireshark: UDP encapsulation used for NAT traversal (port 4501)Įxact overhead size depends on the cipher used and pad length (which varies based on the input data size).
![pan globalprotect pan globalprotect](https://i.ytimg.com/vi/tKjDzfaYvNE/maxresdefault.jpg)
additional IP header used to deliver the packet between tunnel endpoint (external tunnel IPs) Looking at the overhead added in case of GlobalProtect IPSec tunnel, we have the following: Note: This article is focused on IPv4 MTU issues as IPv6 is quite different in handling fragmentation. (d) IP fragmentation is used as one of the evasion techniques, making it harder for security devices (such as firewalls) to detect malicious payload (overlapping fragments, depleting or exceeding buffers, etc.) (c) if a single fragment is missing on a receiving end, upper layer (such as TCP) retransmissions mechanism will cause all the fragments to be re-sent (there is no retransmission flow control mechanism on IP layer)
![pan globalprotect pan globalprotect](https://georgiadamer.weebly.com/uploads/1/2/7/4/127482313/575722659_orig.jpg)
(b) additional (CPU) processing time used to handle fragmentation (regardless if we are fragmenting the data or reassembling received fragments) (a) lower throughput (performance) caused by additional overhead Some of the downsides of fragmentation are: What is a fragmentation and why do we want to avoid it?įragmentation is a process of splitting an IP packet into multiple fragments (which are also IP packets themselves) in case the data to be carried exceeds egress interface MTU. Additionally, MTU can be different (lower) along the whole connection path and introduce issues. Why do we need to consider MTU size when we are talking about VPN solutions, such as GlobalProtect?Īll VPN solutions are adding certain overhead to our original data, thus effectively reducing MTU we are able to use (if we are to avoid fragmentation). Note: Though we are often calling different Protocol Data Units (PDUs) at different layers "packet", the usual convention is that the PDUs are named as: Layer SDU received on a layer n is a PDU for a layer n+1.
![pan globalprotect pan globalprotect](https://uploads.thegioifirewall.com/2020083117325163.jpg)
MTU (Maximum Transmission Unit) usually refers to a maximum amount of data (Bytes) that we can place as a payload into a L2 frame. In most of the cases, we are talking about Ethernet on Layer2 and IP on Layer3, where the previous statement translates to maximum IP packet size that can be carried over by Ethernet Frame. Formally, each OSI (Open Systems Interconnection) model layer has its own PDU (Protocol Data Unit) which encapsulates the data called SDU (Service Data Unit) as its payload.