Thursday, April 29, 2021

What would cause Packets to be so huge and be tagged with "Do not fragment = 1" ?

Investigating speed problems here https://www.reddit.com/r/sophos/comments/mzwfu0/ipsec_vpn_slowness_in_one_direction_over_2x_sites/ and noticed something strange.

Info:
Site A:

300/300mbps

Software Sophos XG firewall

Vmware / Vcenter on a VXrail cluster

Site B:

1/1gbps

Software Sophos XG firewall

Vmware / Vcenter on IBM blades

IPSEC VPN to both sites

Traffic flows fast from Site A to B but is dead slow from B to A

What I noticed while looking at the capture in Wireshark with a sophos engineer is the packets from site B are trying to send at huge sizes way larger than our MTU and upwards of 22000 packet length and these large packets have the header DO NOT FRAGMENT = 1

What would cause the packets to be set to Do Not Fragment? where in the network could cause the size to be so large (or inject data into packets)?

Thanks this is crazy.



No comments:

Post a Comment