Configurable Maximum Transmission Unit for GlobalProtect Connections
Focus
Focus
GlobalProtect

Configurable Maximum Transmission Unit for GlobalProtect Connections

Table of Contents

Configurable Maximum Transmission Unit for GlobalProtect Connections

Software Support: Starting with GlobalProtect™ app 5.2.4 with Content Release version 8346-6423 or later.
OS Support: Windows, macOS, Android, iOS, Linux, Windows UWP, and IoT operating systems—Android, Raspbian, Ubuntu, or Windows IoT Enterprise
You can now optimize the connection experience for end users connecting over networks that require maximum transmission unit (MTU) values lower than the standard of 1500 bytes by specifying the MTU value that is used by the GlobalProtect app to connect to the gateway. By reducing the MTU size, you can eliminate performance and connectivity issues that occur due to fragmentation when the VPN tunnel connections go through multiple Internet Service Providers (ISPs) and network paths with MTU lower than 1500 bytes. You can configure the GlobalProtect connection MTU value between 1000 to 1420 bytes instead of the preset default MTU value of 1400 bytes. For example, you can adjust the MTU value for a specific group of users from a region to a lower MTU value by using a different portal configuration with a lower MTU value requirement. The MTU value that you configured for a specific portal applies to all the gateway tunnel connections listed for that portal for both IPSec and SSL tunnel protocols.
In Pre-Logon (Always On) deployments, GlobalProtect must recreate the user tunnel in order for the new configured MTU value in the user’s portal configuration to take effect. This deployment requires the Pre-logon Tunnel Rename Timeout value be set to 0 in the GlobalProtect portal configuration.
The following diagram illustrates the challenges of the VPN tunnel connections that are passed over networks that require MTU values lower than the standard of 1500 bytes.
  1. Configure the MTU value for GlobalProtect connections.
    You can configure a specific group of users from a region with a lower MTU value requirement instead of the preset default MTU value by using a different portal configuration.
    1. Launch the Web Interface.
    2. Select NetworkGlobalProtectPortals<portal-config> Agent<agent-config> .
    3. Select NetworkGlobalProtectPortals<portal-config> Agent<agent-config> AppGlobalProtect Connection MTU (bytes).
    4. Specify the GlobalProtect Connection MTU (bytes) value that is used by the app for gateway connections.
      You can specify the MTU range from 1000 to 1420 bytes. The default value is 1400 bytes.
      (Windows UWP only) After you manually configure the GlobalProtect Connection MTU (bytes) value using the netsh command, the GlobalProtect client is unable to set the GlobalProtect Connection MTU (bytes) value in the portal configuration greater than the manually configured value.
      If the MTU value is less than 1280 bytes and IPv6 is enabled, the GlobalProtect adapter automatically changes the value to 1280 bytes as per the minimum supported MTU requirement for IPv6.
  2. Click OK twice.
  3. Commit the configuration.
  4. Verify the MTU configuration.
    You can verify the MTU value for the GlobalProtect adapter on Windows, Windows UWP, macOS, Linux, Android, iOS, and iOT endpoints. The MTU value is displayed in the GlobalProtect agent (PanGPA) and GlobalProtect service (PanGPS) log files.
    The following example shows the entry in the PanGPA log file:
    <agent-config name="agent-config"> ................ <tunnel-mtu>1100</tunnel-mtu>
    The following example shows the entry in the PanGPS log file:
    P30752-T-1957562624 Nov 11 15:52:06:111233 Debug( 310): Configured MTU is 1100
    • On Windows and Windows UWP endpoints, enter the netsh interface <ipv4-or-ipv6> show interface command from the terminal command line, as shown in the following example:
      C:\Users\Administrator>netsh interface ipv4 show interface Idx Met MTU State Name --- ---------- ---------- ------------ ---------- 13 25 1500 connected Ethernet0 5 1 1100 connected Ethernet2
    • On macOS endpoints, enter the ifconfig <gp-interface-name> command from a macOS terminal, as shown in the following example:
      % ifconfig utun0 utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1100 ........
    • On Linux endpoints, enter the ifconfig <gp-interface-name> command, as shown in the following example:
      user@linuxhost:~$ ifconfig gpd0 gpd0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1100 ........
    • On Android, iOS, Windows, macOS, iOT, and Linux endpoints, you can generate a packet capture on the GlobalProtect gateway for the specific tunnel interface to which the GlobalProtect client is connecting to. After downloading the packet capture file, you can review the maximum segment size (MSS) value sent from the GlobalProtect client. This value is 40 bytes less than the GlobalProtect Connection MTU (bytes) value that you configured.