Configurable Maximum Transmission Unit for GlobalProtect Connections

Software Support
: Starting with GlobalProtect™ app 5.2.4 with Content Release version 8346-6423 or later.
OS Support
: Windows, macOS, Android, iOS, Linux, Windows UWP, and IoT operating systems—Android, Raspbian, Ubuntu, or Windows IoT Enterprise
You can now optimize the connection experience for end users connecting over networks that require maximum transmission unit (MTU) values lower than the standard of 1500 bytes by specifying the MTU value that is used by the GlobalProtect app to connect to the gateway. By reducing the MTU size, you can eliminate performance and connectivity issues that occur due to fragmentation when the VPN tunnel connections go through multiple Internet Service Providers (ISPs) and network paths with MTU lower than 1500 bytes. You can configure the GlobalProtect connection MTU value between 1000 to 1420 bytes instead of the preset default MTU value of 1400 bytes. For example, you can adjust the MTU value for a specific group of users from a region to a lower MTU value by using a different portal configuration with a lower MTU value requirement. The MTU value that you configured for a specific portal applies to all the gateway tunnel connections listed for that portal for both IPSec and SSL tunnel protocols.
In Pre-Logon (Always On) deployments, GlobalProtect must recreate the user tunnel in order for the new configured MTU value in the user’s portal configuration to take effect. This deployment requires the
Pre-logon Tunnel Rename Timeout
value be set to
0
in the GlobalProtect portal configuration.
The following diagram illustrates the challenges of the VPN tunnel connections that are passed over networks that require MTU values lower than the standard of 1500 bytes.
  1. Configure the MTU value for GlobalProtect connections.
    You can configure a specific group of users from a region with a lower MTU value requirement instead of the preset default MTU value by using a different portal configuration.
    1. Select
      Network
      GlobalProtect
      Portals
      <portal-config>
      Agent
      <agent-config>
      .
    2. Select
      Network
      GlobalProtect
      Portals
      <portal-config>
      Agent
      <agent-config>
      App
      GlobalProtect Connection MTU (bytes)
      .
    3. Specify the
      GlobalProtect Connection MTU (bytes)
      value that is used by the app for gateway connections.
      You can specify the MTU range from 1000 to 1420 bytes. The default value is 1400 bytes.
      (
      Windows UWP only
      ) After you manually configure the
      GlobalProtect Connection MTU (bytes)
      value using the
      netsh
      command, the GlobalProtect client is unable to set the
      GlobalProtect Connection MTU (bytes)
      value in the portal configuration greater than the manually configured value.
      If the MTU value is less than 1280 bytes and IPv6 is enabled, the GlobalProtect adapter automatically changes the value to 1280 bytes as per the minimum supported MTU requirement for IPv6.
  2. Click
    OK
    twice.
  3. Commit
    the configuration.
  4. Verify the MTU configuration.
    You can verify the MTU value for the GlobalProtect adapter on Windows, Windows UWP, macOS, Linux, Android, iOS, and iOT endpoints. The MTU value is displayed in the GlobalProtect agent (PanGPA) and GlobalProtect service (PanGPS) log files.
    The following example shows the entry in the PanGPA log file:
    <agent-config name="agent-config"> ................ <tunnel-mtu>1100</tunnel-mtu>
    The following example shows the entry in the PanGPS log file:
    P30752-T-1957562624 Nov 11 15:52:06:111233 Debug( 310): Configured MTU is 1100
    • On Windows and Windows UWP endpoints, enter the
      netsh interface <ipv4-or-ipv6> show interface
      command from the terminal command line, as shown in the following example:
      C:\Users\Administrator>netsh interface ipv4 show interface Idx Met MTU State Name --- ---------- ---------- ------------ ---------- 13 25 1500 connected Ethernet0 5 1 1100 connected Ethernet2
    • On macOS endpoints, enter the
      ifconfig <gp-interface-name>
      command from a macOS terminal, as shown in the following example:
      % ifconfig utun0 utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1100 ........
    • On Linux endpoints, enter the
      ifconfig <gp-interface-name>
      command, as shown in the following example:
      user@linuxhost:~$ ifconfig gpd0 gpd0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1100 ........
    • On Android, iOS, Windows, macOS, iOT, and Linux endpoints, you can generate a packet capture on the GlobalProtect gateway for the specific tunnel interface to which the GlobalProtect client is connecting to. After downloading the packet capture file, you can review the maximum segment size (MSS) value sent from the GlobalProtect client. This value is 40 bytes less than the
      GlobalProtect Connection MTU (bytes)
      value that you configured.

Recommended For You