Forum Discussion
Neo_Ph
Altocumulus
AltocumulusVPN fragmented IP packets dropped
VPN fragmented IP packets being dropped by the Big-IP, because of 'tm.minipfragsize > default=552' (K52103592) TCPDump showed the ip packets arriving on the client-side and never being forwarded on ...
Lucas_Thompson
Employee
EmployeeOne advantage of BIG-IP's full-proxy architecture is that you can have it adjust the TCP MSS on the server-side of the flow so that a connection initiated from outside can have a different effective packet size. You can do this inside the TCP profile using "Proxy Maximum Segment" and "Max Segment Size". If you want to try it, make a new TCP profile with those options and apply it to a new more specific L4 virtual server to catch and forward the VPN traffic.
This would work when the SERVER is sending a lot of data to the client, but not if the CLIENT is sending a lot of data to the server, because the MSS info comes from the client's side of the connection (in our full-proxy case there are 2 "client sides", one is big-ip and one is the client).
Of course this isn't helpful for UDP or other traffic, but for TCP it should prevent these little fragments from the server.
Neo_PhThanks for the suggestion. In my case it's UDP/1812 being affected when the end-users sends TLS EAP response containing its Certificate, key exchange etc.. TCP-MSS wont help in that case.