Configure a Maximum Transmission Unit (MTU) Value
The maximum transmission unit (MTU) specifies the largest data packet, measured in bytes, that a network can transmit.
In most cases, you can use the default MTU values on the Firebox:
- For GRE-based virtual interfaces, the MTU is 1476 bytes.
- For VTI-based virtual interfaces, the MTU is 1500 bytes.
In Fireware v12.5 or higher, you can specify a custom MTU value for BOVPN virtual interfaces. The MTU setting is specific to individual BOVPN virtual interfaces and is not a global Firebox setting.
You might need to specify a custom MTU value if your Firebox connects to a third-party VPN endpoint that drops packets that exceed a certain size. To determine whether the third-party endpoint requires a custom MTU value, see the documentation provided by the third-party vendor.
MTU Requirement for Microsoft Azure VPNs
For Azure VPN connections, Microsoft requires a MTU of 1400 or a TCP MSS of 1350. The Azure VPN gateway drops packets with a total packet size larger than 1400.
If the Azure VPN gateway drops packets from your Firebox, we recommend these Firebox settings:
- Fireware v12.5 or higher — In the BOVPN virtual interface configuration, specify an MTU of 1400.
- Fireware v12.4.1 or lower — In the physical interface configuration, specify an MTU of 1400.
As an alternative, you can set the global TCP MSS value to 1350. However, we do not recommend this option because this setting affects other Firebox interfaces and applies only to TCP traffic. For example, this setting does not apply to RDP traffic in most cases because RDP usually uses UDP. If you use RDP to access servers hosted in Azure, Azure drops packets larger than 1400 bytes even if you specify the recommended TCP MSS value. For more information about the TCP MSS setting, go to Define Firebox Global Settings.
Configure an MTU
To configure a custom MTU value in Fireware Web UI or Policy Manager, your Firebox must have Fireware v12.5.4 or higher. In Fireware v12.5 to v12.5.3, you must use the CLI to configure the MTU setting as specified in the Fireware v12.5 to v12.5.3 section.
- Select VPN > BOVPN Virtual Interfaces.
- Select a virtual interface and click Edit.
- Click VPN Routes.
- Select Restrict Tunnel MTU.
- In the adjacent text box, keep the default value of 1400 or type a value between 68 and 9000.
- Select VPN > BOVPN Virtual Interfaces.
- Select a virtual interface and click Edit.
- Click VPN Routes.
- Select Restrict Tunnel MTU.
- In the adjacent text box, keep the default value of 1400 or type a value between 68 and 9000.
Configure an MTU in Fireware v12.5 to v12.5.3
In Fireware v12.5 to v12.5.3, you must use the CLI to configure the MTU setting. Use this command:
diagnose vpn "/ipsec/vif/mtu/set \“[interface_name]\" [MTU]"
For example, to change the MTU for the interface BovpnVif.1 to 1400, specify:
diagnose vpn "/ipsec/vif/mtu/set \"BovpnVif.1\" 1400"