Decreasing LoadMaster MTU to support VPN client traffic

The MTU on the LoadMaster interface may need to be decreased to allow for additional overhead of the VPN protocol.

Reason:

Best practice is usually to reduce MTU definitions on VPN tunnel interfaces to something like 1392 as this will provide enough allowance for core packet + VPN overhead. The LoadMaster default MTU is 1500 which is higher than the VPN best practice. The LoadMaster will also set the “Do Not Fragment” flag when the packets egress the LoadMaster. This means that the packets will not be fragmented by any device before they reach the VPN interface. The packets arriving at 1500 will be rejected or discarded due to their size.

This issue may be evident in a TCPdump as a “fragmentation needed” ICMP Message.

Since fragmentation must occur before the VPN encryption most VPNs would likely discard the fragmented packets due to security reasons anyway.

Resolution:

This MTU on the LoadMaster interface(s) should be lowered to match that of the VPN tunnel interface. This way the packets egress the LoadMaster at an acceptable size and there would be no need for fragmentation.

Ping Test

ping www.google.com -f -l xxxx 

Was this article helpful?

0 out of 0 found this helpful

Comments