Forum Discussion
Neo_Ph
Altocumulus
AltocumulusVPN fragmented IP packets dropped
VPN fragmented IP packets being dropped by the Big-IP, because of 'tm.minipfragsize > default=552' (K52103592) TCPDump showed the ip packets arriving on the client-side and never being forwarded on ...
zamroni777
Nacreous
Nacreousas recommended by K52103592 referred by the error log, it is better if you solve the MTU matter.
executing irules for every IP fragment might cause performance problem.
enabling jumbo frame (MTU=9000 bytes) might help.
i assume the f5 resides behind router/switch which most of them supports jumbo frame nowadays.
https://en.wikipedia.org/wiki/Jumbo_frame
Neo_PhThere's a VPN tunnel in the picture, that is forcing the MTU to 1400 -- hence why we get packets with less than 552bytes & with the MF set.
I agree that performance might become an issue. What would be a good option is: to limit performance problems by creating a new VS for all remote VPN sites, with the same pool members. The iRule would only be used on that new dedicated VS for remote VPN sites traffic only.
Thanks for your feedback.- zamroni777
default ethernet mtu is 1500 bytes.
the 100 bytes difference to vpn's 1400 might be cause of the small fragment.enabling jumbo frame 9000 bytes mtu on physical interface means adjacent switch/router will less likely to send fragmented payload to the f5.
- Neo_Ph
I agree for the jumbo frames. Despite having jumbo frames on the path, when packets goes through the VPN, we have to force the MTU to 1400.