Forum Discussion
VPN fragmented IP packets dropped
as recommended by K52103592 referred by the error log, it is better if you solve the MTU matter.
executing irules for every IP fragment might cause performance problem.
enabling jumbo frame (MTU=9000 bytes) might help.
i assume the f5 resides behind router/switch which most of them supports jumbo frame nowadays.
https://en.wikipedia.org/wiki/Jumbo_frame
- Neo_PhMay 14, 2024Altocumulus
There's a VPN tunnel in the picture, that is forcing the MTU to 1400 -- hence why we get packets with less than 552bytes & with the MF set.
I agree that performance might become an issue. What would be a good option is: to limit performance problems by creating a new VS for all remote VPN sites, with the same pool members. The iRule would only be used on that new dedicated VS for remote VPN sites traffic only.
Thanks for your feedback.- zamroni777May 16, 2024Nacreous
default ethernet mtu is 1500 bytes.
the 100 bytes difference to vpn's 1400 might be cause of the small fragment.enabling jumbo frame 9000 bytes mtu on physical interface means adjacent switch/router will less likely to send fragmented payload to the f5.
- Neo_PhMay 17, 2024Altocumulus
I agree for the jumbo frames. Despite having jumbo frames on the path, when packets goes through the VPN, we have to force the MTU to 1400.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com