Options

Azure 1400 MTU VPN requirement

NewbieM370NewbieM370
edited May 2023 in Firebox - VPN Branch Office

Greetings -
I have a network serving 60 VLANS with an M370 and have one VLAN needing to connect to an Azure while other VLANs connect to a Point to Point (non-Azure) VPN, and general traffic without any VPN whatsoever.
I am unsure as to the impact on the non-Azure traffic if I lower the MTU to 1400. Any pointers would be highly appreciated!

Answers

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @NewbieM370
    You can set the MTU on the BOVPN itself if you're using a BOVPN virtual interface (BOVPN VIF.)

    See:
    (Configure a Maximum Transmission Unit (MTU) Value)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/bovpn_vif_mtu.html

    There should be no reason to lower the MTU on any of your internal networks.

    -James Carson
    WatchGuard Customer Support

  • Options
    Bruce_BriggsBruce_Briggs
    edited May 2023

    The the impact of a lowered MTU is that packet bigger than the set MTU (1400) is that larger packets (up to 1500 for standard Ethernet) will be split into 2 - 1400 and the remainder.

    For a standard BOVPN, the same will happen - but the VPN traffic is encapsulated and the data portion is reduced from whatever the real external interface is - often up to 100 bytes. So the outgoing 1500 byte data packet would be split into an approx 1300 byte VPN packet and a remainder packet.

    Other than some overhead on your firewall, most things work just fine.

    However, rarely some external web sites have issues when using a wrong MTU. No real idea why...
    A solution to this (non BOVPN connections I believe) is to have PMTU Discovery enabled on internal sending devices - which will result in the device understanding the max packet size which can be sent and will thus not send a packet which needs to be split.

  • Options
    NewbieM370NewbieM370

    @james.carson said:
    Hi @NewbieM370
    You can set the MTU on the BOVPN itself if you're using a BOVPN virtual interface (BOVPN VIF.)

    See:
    (Configure a Maximum Transmission Unit (MTU) Value)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/bovpn_vif_mtu.html

    There should be no reason to lower the MTU on any of your internal networks.

    Thanks for your input.

    Is it an option to configure one BOVPN VIF just for Azure with a 1400 MTU, leaving the the rest of the topology intact for all other traffic, including non-azure VPN, or must all VPN's go through the same BOVPN VIF (with a MTU 1400)?

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    @NewbieM370 The VIF would be specific to your Azure connection (you set up a different VIF for each endpoint.)

    If you had to connect to an AWS endpoint, an Azure endpoint, and a physical firewall (like an HQ somewhere) you'd set up three VIFs, one for each.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.