[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] MTU & Fragmentation question
Paul, I can't think of a way to measure the smallest mtu from end to end without sending packets to a remote host and watching it get reassembled. If I remember correctly, the IP header is about 24 bytes, so a MTU of 1476 should be sufficient. This is perhaps a question best directed to check point support. Paul Keser wrote: > We have a customer sending a large volume of mail over an ISAKMP VPN. > They are only seeing 16kb/sec throughput. Logs look good. vmstat on > both FW's (running Solaris FW1 4.1 bld 41489) shows 50-70 % idle on more > > loaded fw, 90% idle on other. > > The only firewall related issue I could think of could be excessive > fragmentation due to encapsulation. This raises 2 questions: > > 1. How much under the minimum MTU in the route should I set the > firewalls MTU to prevent this? > > 2. What should I grep for when snooping to see if there are excessive > requests to fragment? > > Any other suggestions to TS will be greatly appreciated! I don't think > the problem lies in the FW's but it is hard to show since when they use > the existing F-R net they don't have the problem. > > -PaulK > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|