I feel your pain. On Nokia, you can NOT modify the mtu on the interface because Nokia stated that they will NOT support this configuration. On Secureplatform, checkpoint will support modification mtu on the interface. That's what diamond support TAC told me.
If you have pMTU in place and it is allowed through the firewall, that should take care of the issue. the other alternative is to modify the "tcp adjust-mss" to 1400 and it will solve your issue as well. On cisco device, do this: ip tcp adjust-mss 1400 i am sure this value is somewhere in checkpoint. You can adjust it with gui-dbedit or dbedit. Ben Wilson <[EMAIL PROTECTED]> wrote: Yes, we have the same problem after moving to SecurePlatform from Nokia IPSO. Enabling fragmentation on the WAN link fixed our problem, but that won't work for all types of traffic. I have a call open with Check Point, but haven't gotten anywhere in 2 weeks. I am really starting to regret moving to SecurePlatform... -- Ben > -----Original Message----- > From: Mailing list for discussion of Firewall-1 [mailto:FW-1- > [EMAIL PROTECTED] On Behalf Of Torkel Mathisen > Sent: Thursday, April 12, 2007 6:23 AM > To: [EMAIL PROTECTED] > Subject: [FW-1] MTU problems after upgrade > > Hi, > > We recently upgraded our firewalls from R55 to R61/62. We also moved > from Solaris to SPLAT in the same process. > > After the upgrade we got lots of MTU problems. Traffic that worked > before the upgrade now got blocked. Usually with "Invalid Sequence > Number" and "Bad Ack Number". > > We found out that most of this was because somewhere from source to > destination the MTU was configured lower than 1500. > > Like this: > > client -> server TCP D=1443 S=39048 Ack=1315177946 > Seq=425805031 Len=1460 Win=49640 > client -> server TCP D=1443 S=39048 Push Ack=1315177946 > Seq=425806491 Len=266 Win=49640 > server -> client ICMP Destination unreachable (Needed to > fragment: next hop MTU = 1440) > > We have fixed this by changing the MTU setting on the servers. However > I > don't know if this is such a good idea as it will affect all traffic to > and from the server. > > Why this worked on our old firewalls I can't say really, but I think > they where just badly configured. > > So my question is: > > What is the best way of dealing with this kind of scenario? > > Let's say you have a WAN link to a customer where the MTU is 1440 and > your server/client is trying to send packets with 1460 bytes. > > > Regards, > Torkel > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= ----------------------------------------- The information contained in this email is confidential and is intended solely for the use of the person identified and intended as the recipient. If you are not the intended recipient, any disclosure, copying, distribution, or taking of any action in reliance on the contents is prohibited. If you receive this message in error, contact the sender immediately and delete it from your computer. Personal e-mails are restricted by PSECU policy. As such, PSECU specifically disclaims any responsibility or liability for any personal information or opinions of the author expressed in this email. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================Subject: SecurePlatform MTU Date: Wed, 28 Mar 2007 09:31:38 -0400 From: "Ben Wilson" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> We switched from Nokia IPSO to SecurePlatform R62 this weekend and had some problems with WAN connection across the new firewall. This is all internal traffic that traverses a Cisco point to point IP encrypted GRE tunnel: Internet -- PIX -- DMZ -- Check Point -- Remote LAN -- WAN -- Local LAN -- Check Point -- DMZ -- PIX -- Internet Connections from the Remote LAN to the Local DMZ where established, but when the web server tried sending data, it was getting dropped somewhere. We enable fragmentation on the WAN connection and that seems to have fixed the problem, but I'm not sure why the Check Point was discovering the correct MTU/MSS size. Any ideas? Thanks! Ben ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= --------------------------------- Now that's room service! Choose from over 150,000 hotels in 45,000 destinations on Yahoo! Travel to find your fit. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
