Scribd
Upload
129 views

Fragmentation Needed - Error On Dropped Packets Sent Through Tunnel

Uploaded by

Ligal
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
129 views

Fragmentation Needed - Error On Dropped Packets Sent Through Tunnel

Uploaded by

Ligal
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

1/21/22, 2:29 PM "Fragmentation needed" error on dropped packets sent through tunnel

Free Demo Contact Us Support Center Blo

PRODUCTS SOLUTION SUPPORT & SERVICES PARTNERS RESOURCES

Support Center > Search Results > SecureKnowledge Details

Search Support Center

"Fragmentation needed" error on dropped packets sent through tunnel Technical Level

My Favorites Email Pri

Solution ID sk121114

Technical Level

Product Quantum Spark Appliances


Version R77.20, R80.20
OS Gaia Embedded
Platform / Model 1100, 1400, 600, 700, 1200R, 900, 1500, 1600, 1800
Date Created 25-Oct-2017

Symptoms
Packets sent through the VPN tunnel are dropped with the Fragmentation needed error.
Packets sent through the VPN tunnel are dropped with the following error: VPN peer third party
;[fw4_0];fw_log_drop_ex: Packet proto=6
10.132.136.19:50494 -> 10.129.3.104:65122 dropped by fw_first_packet_state_checks Reason: First packet isn't SYN;

Cause
Packets were sent with a higher MSS than is set on the other site.

Solution
To resolve the problem, enable MSS clamping on the SMB appliance:

Connect to the device terminal and enter Expert mode.

Run the following commands:

[Expert@Hostname]# echo "fw_allow_out_of_state_post_syn=1">> $FWDIR/modules/fwkern.conf

[Expert@Hostname]# echo "fw_allow_out_of_state_icmp=1">> $FWDIR/modules/fwkern.conf

[Expert@Hostname]# echo "fw_icmp_redirects=1">> $FWDIR/modules/fwkern.conf

[Expert@Hostname]# echo "fw_clamp_tcp_mss=1">> $FWDIR/modules/fwkern.conf

Set the value of "Stateful Inspection - Accept out of state TCP packets" to 1 in the advanced settings of the device. 

Set the MTU of the LAN network and WAN to 1400

Set Keep DF flag on packet to true in the advanced settings of the device. 

Reboot

Related Solutions:

sk63560 - How to run complete VPN debug on Security Gateway to troubleshoot VPN issues?
sk101219: New VPN features in R77.20 and later

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback Please rate this document [1=Worst,5=Best]

Enter your comment here


Comment 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk121114&partition=Advanced&pr… 1/2
1/21/22, 2:29 PM "Fragmentation needed" error on dropped packets sent through tunnel

SECURE YOUR EVERYTHING ™ Follow Us    


©1994-2022 Check Point Software Technologies Ltd. All rights reserved.

Copyright | Privacy Policy

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk121114&partition=Advanced&pr… 2/2

You might also like