How to decrease a Kemp LoadMaster interface MTU to support VPN client traffic
The MTU on the LoadMaster interface may need to be decreased to allow for additional overhead of the VPN protocol.
Reason:
Best practice is usually to reduce MTU definitions on VPN tunnel interfaces to something like 1392 as this will provide enough allowance for core packet + VPN overhead. The LoadMaster default MTU is 1500 which is higher than the VPN best practice. The LoadMaster will also set the “Do Not Fragment” flag when the packets egress the LoadMaster. This means that the packets will not be fragmented by any device before they reach the VPN interface. The packets arriving at 1500 will be rejected or discarded due to their size.
This issue may be evident in a TCPdump as a “fragmentation needed” ICMP Message.
Since fragmentation must occur before the VPN encryption most VPNs would likely discard the fragmented packets due to security reasons anyway.
Resolution:
This MTU on the LoadMaster interface(s) should be lowered to match that of the VPN tunnel interface. This way the packets egress the LoadMaster at an acceptable size and there would be no need for fragmentation.
Ping Test
ping www.google.com -f -l xxxx
Comments
@abentley
You will need to break the bond in order to change the MTU value as there is no setting for this in the WUI. Also there currently is no mechanism in the API to change the MTU of a bonded interface.
Once the bond is broken, change the MTU value on the interface where the bond is initially created. You can then add the other interface(s) to the bond. You do not need to change the MTU on the interface(s) being added to the bond.
abentley
I need to change the MTU on a bonded interface - do I need to break the bond and set the MTU on the individual interfaces then recreate the bond?