Using advanced features
202 Avaya VPNmanager Configuration Guide Release 3.7
As a packet is routed through different networks, it may be necessary for a router to divide the
packet into smaller pieces because it might be too large to transmit as a single packet on a
different network. This may occur at the interfaces of physically different networks.
The MTU of a security gateway passing secure traffic is 1404 bytes, which includes the
additional IPSec information. The MTU of a security gateway passing unprotected traff ic is 1514
bytes.
If Path MTU Discovery is running, a security gateway does not convert the following types of
packets into secured traffic, and it uses an ICMP message to ask the source of the packets to
fragment them.
Packets larger than 1404 bytes
Packets with the Don’t Fragment Bit set
Packets being the first fragment in the IP datagram
Following are reasons why you may not want a security gateway to participate in Path MTU:
A firewall sits between the security gateway and the source of packets needing VPN
services. This would prevent the source from receiving security gateway ICMP messages
indicating that fragmentation is needed.
The source of packets needing VPN services does not fragment packets, even when
notified by a security gateway ICMP message.
A router in the network is outdated and will not send an ICMP need fragmentation
message, or will not send a message at all.
The symptom of either of these situations would be that a network sniff indicates the security
gateway is sending a fragmentation-needed ICMP message, but the traffic initiator is
retransmitting the original packet.
To configure the Path MTU Discovery:
1. From the Device>Contents column, select the security gateway you want to configure.
2. Click the Advanced tab to bring it to the front.
3. From the Properties column, select MTU Path Discovery to display the MTU Path
Discovery values.
4. From the Values list, do the following.
Select the On radio button to run MTU Path Discovery.
Select the Off radio button to disable MTU Path Discovery.
5. Enter the Path MTU Timeout value.
The path MTU timeout value is the number of minutes the SG will remember the new MTU
learned for a path. When the timeout expires, the SG will attempt to send the maximum
configured packet size. The default value is1000. The timeout value 0 means that the path
MTU will never timeout.