MTU IPSec Zero Route
I have been working on this problem for quite some time now with zero results.
For some reason even after working out the correct MTU (with ping –f –l xxxx or mtupath.exe) I still get terrible/no results on web browsing speed. Now it seems as if I need to reboot the remote box every day or two for web browsing to reestablish. All other traffic passes fine, http doesn’t.
Main site is running a Watchguard x550, external interface on an Ethernet line.
Remote is running a Watchguard x15, external interface on a PPPoE line.
There is an IPSec tunnel between the two locations with a zero route to force the traffic through the main site for web blocker purposes.
MTU on main\external-interface is set to 1500. (Best I could get)
MTU on remote\external-interface is set to 1400 (Best I could get)
Websites do not load. Unless…
If I change the MTU on Main\external-interface to 1492 the remote sites are fast and web browsing is perfect.
Why would changing the main\external-interface MTU to 1492 solve the remote speed issues?
Here is the MTU I worked out with mtupath.exe and the same results with the simple DOS command:
From Main, To Internet, MTU=1500
From Main, To Remote, MTU=1436
From Remote, To Internet, MTU=1400
From Remote, To Main, MTU=1436
If I remove the zero route on the VPN tunnel then web traffic is fine.
For some reason even after working out the correct MTU (with ping –f –l xxxx or mtupath.exe) I still get terrible/no results on web browsing speed. Now it seems as if I need to reboot the remote box every day or two for web browsing to reestablish. All other traffic passes fine, http doesn’t.
Main site is running a Watchguard x550, external interface on an Ethernet line.
Remote is running a Watchguard x15, external interface on a PPPoE line.
There is an IPSec tunnel between the two locations with a zero route to force the traffic through the main site for web blocker purposes.
MTU on main\external-interface is set to 1500. (Best I could get)
MTU on remote\external-interface is set to 1400 (Best I could get)
Websites do not load. Unless…
If I change the MTU on Main\external-interface to 1492 the remote sites are fast and web browsing is perfect.
Why would changing the main\external-interface MTU to 1492 solve the remote speed issues?
Here is the MTU I worked out with mtupath.exe and the same results with the simple DOS command:
From Main, To Internet, MTU=1500
From Main, To Remote, MTU=1436
From Remote, To Internet, MTU=1400
From Remote, To Main, MTU=1436
If I remove the zero route on the VPN tunnel then web traffic is fine.
ASKER
Thank you.
I have disabled web blocker (by watchguard) the connection still stalls/drops.
My main question is, is it normal that I have to set an MTU lower than 1500 on the main\external interface that is on ethernet to allow the remote sites to function properly?
I have disabled web blocker (by watchguard) the connection still stalls/drops.
My main question is, is it normal that I have to set an MTU lower than 1500 on the main\external interface that is on ethernet to allow the remote sites to function properly?
Hi huntex,
You should be modifying the Watchgaud's WAN connection. Here is how to manually or automatically achieve the correct MTU: https://www.experts-exchange.com/A_12615.html
Let me know how it goes!
You should be modifying the Watchgaud's WAN connection. Here is how to manually or automatically achieve the correct MTU: https://www.experts-exchange.com/A_12615.html
Let me know how it goes!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
So without zero route you web traffic from remote site will go directly to the Internet with MTU of 1492.
On main site you have Ethernet connection so MTU is 1500, as this is default MTU for Ethernet ports.
Between main and remote you are using VPN, so because of IPSec headers + PPPoE header, MTU is lower
1436 = 1500 - 8 - IPSec header
What do you use as web blocker? As only web traffic is affected I suspect that web blocker affects MTU in some way.
Can you temporary disable web blocker and try to route web traffic from remote site through main site?