PMTU Setting for IPSec

The Path Maximum Transmission Unit (PMTU) setting controls the length of time that the Firebox lowers the MTU for an IPSec VPN tunnel when it gets an ICMP Request to Fragment packet from a router with a lower MTU setting on the Internet.

This advanced interface setting applies to external interfaces only. You configure this in the Advanced tab when you edit an external interface.

PMTU setting for IPSec on an external interface
The PMTU settings in Fireware Web UI

PMTU settings for an External interface
The PMTU settings in Policy Manager

We recommend that you keep the default setting. This can protect you from a router on the Internet with a very low MTU setting.

In Fireware v12.2.1 or higher, you can configure the PMTU settings in the gateway endpoint settings in BOVPN and BOVPN virtual interface configurations. The PMTU settings specified for a gateway endpoint override the PMTU setting specified for the external interface.

© 2024 WatchGuard Technologies, Inc. All rights reserved. WatchGuard and the WatchGuard logo are registered trademarks or trademarks of WatchGuard Technologies in the United States and other countries. Various other trademarks are held by their respective owners.