Incorrect MTU Size on inline ProxySG causing issues or failures for bypassed applications

book

Article ID: 165363

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Some applications, SSL for example, will sometimes fail when going through an inline proxy despite the fact that the service is set to bypass. In most cases, the handshake is done correctly but once the application starts to send a full packet of data, the packet will be received by the ProxySG but will not be forwarded.

This type of issue can be caused by the fact that the ProxySG's configured MTU is smaller than other devices on the network. What happens is that the ProxySG receives the packet, sees that it's bigger than the MTU is is configured to use, but if it can't fragment the packet, that packet will be dropped which will cause some applications to report problems or in some cases, not work at all.

Applications that use encryption are the most likely to run into this type of issue because encrypted packets can't be fragmented.

Resolution

To prevent this type of issue from happening, set the ProxySG's MTU to the highest value used by surrounding devices. For example, if workstations on the network use 1460 and the firewall is configured for 1400, configure 1460 on the ProxySG so that it lets the firewall do the fragmentation if required. If the ProxySG opens a socket through the firewall, it will lower the packet size to 1400 automatically because the SYN/ACK packet received from the firewall will indicate that it can't do more than 1400.

 
You can refer to 000009827 if you need instructions on how to figure out the largest packet that your network can handle.