MTU IPSec Zero Route

Posted on 2012-08-21
Last Modified: 2014-10-20
I have been working on this problem for quite some time now with zero results.
For some reason even after working out the correct MTU (with ping –f –l xxxx or mtupath.exe) I still get terrible/no results on web browsing speed. Now it seems as if I need to reboot the remote box every day or two for web browsing to reestablish. All other traffic passes fine, http doesn’t.

Main site is running a Watchguard x550, external interface on an Ethernet line.
Remote is running a Watchguard x15, external interface on a PPPoE line.
There is an IPSec tunnel between the two locations with a zero route to force the traffic through the main site for web blocker purposes.

MTU on main\external-interface is set to 1500. (Best I could get)
MTU on remote\external-interface is set to 1400 (Best I could get)
Websites do not load. Unless…
If I change the MTU on Main\external-interface to 1492 the remote sites are fast and web browsing is perfect.

Why would changing the main\external-interface MTU to 1492 solve the remote speed issues?

Here is the MTU I worked out with mtupath.exe and the same results with the simple DOS command:
From Main, To Internet, MTU=1500
From Main, To Remote, MTU=1436
From Remote, To Internet, MTU=1400
From Remote, To Main, MTU=1436

If I remove the zero route on the VPN tunnel then web traffic is fine.
Question by:huntex
    LVL 12

    Expert Comment

    Default MTU for PPPoE line is 1492, and your remote sites are connected by PPPoE to Internet.
    So without zero route you web traffic from remote site will go directly to the Internet with MTU of 1492.

    On main site you have Ethernet connection so MTU is 1500, as this is default MTU for Ethernet ports.

    Between main and remote you are using VPN, so because of IPSec headers + PPPoE header, MTU is lower
    1436 = 1500 - 8 - IPSec header

    What do you use as web blocker? As only web traffic is affected I suspect that web blocker affects MTU in some way.
    Can you temporary disable web blocker and try to route web traffic from remote site through main site?

    Author Comment

    Thank you.
    I have disabled web blocker (by watchguard) the connection still stalls/drops.

    My main question is, is it normal that I have to set an MTU lower than 1500 on the main\external interface that is on ethernet to allow the remote sites to function properly?
    LVL 24

    Expert Comment

    Hi huntex,

    You should be modifying the Watchgaud's WAN connection. Here is how to manually or automatically achieve the correct MTU:

    Let me know how it goes!
    LVL 25

    Accepted Solution

    Why would changing the main\external-interface MTU to 1492 solve the remote speed issues?

    because most of the web traffic flows to the inside (small queries, big answers)

    if your external mtu is bigger than the internal, packets get fragmented.

    this is worse with small differences : 1500 to 1492 translation will produce a 1492-sized packet and a 8-sized ridiculously small packet for almost zero payload

    in that case (for example PPPoE on external side and regular lan with no vlan on the LAN), you had better set the LAN's MTU to 1492 if you want proper incoming traffic

    if the MTUs match exactly (think about what encapsulation each device adds), traffic will flow both ways flawlessly.

    refer to @Fidelius's posts for added encapsulations

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
    This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now