The maximum transmission unit (MTU) is a value indicating
the largest number of bytes that can be transmitted in a single
TCP packet. The MTU includes the length of headers, so the MTU minus
the number of bytes in the headers equals the maximum segment size
(MSS), which is the maximum number of data bytes that can be transmitted
in a single packet.
A configurable MSS adjustment size (shown below) allows your
firewall to pass traffic that has longer headers than the default
setting allows. Encapsulation adds length to headers, so you would
increase the MSS adjustment size to allow bytes, for example, to
accommodate an MPLS header or tunneled traffic that has a VLAN tag.
If the DF (don’t fragment) bit is set for a packet, it is especially
helpful to have a larger MSS adjustment size and smaller MSS so
that longer headers do not result in a packet length that exceeds
the allowed MTU. If the DF bit were set and the MTU were exceeded,
the larger packets would be dropped.
PAN-OS 9.0.9 and later 9.0 releases
You can configure the firewall globally to fragment IPv4 packets
that exceed the egress interface MTU, even when the DF bit is set
in the packet. Enable this for Layer 3 physical interfaces and IPSec
tunnel interfaces using the CLI command
debug dataplane set ip4-df-ignore yes
Restore the firewall to the default behavior by using the CLI command
debug dataplane set ipv4-df-ignore no
The firewall supports a configurable MSS adjustment size for
IPv4 and IPv6 addresses on the following Layer 3 interface types:
Ethernet, subinterfaces, Aggregated Ethernet (AE), VLAN, and loopback.
The IPv6 MSS adjustment size applies only if IPv6 is enabled on
If IPv4 and IPv6 are enabled on an interface and the MSS
Adjustment Size differs between the two IP address formats, the
proper MSS value corresponding to the IP type is used for TCP traffic.
For IPv4 and IPv6 addresses, the firewall accommodates larger-than-expected TCP
header lengths. In the case where a TCP packet has a larger header
length than you planned for, the firewall chooses as the MSS adjustment
size the larger of the following two values:
The configured MSS adjustment size
The sum of the length of the TCP header (20) + the length
of IP headers in the TCP SYN
This behavior means that the firewall overrides the configured
MSS adjustment size if necessary. For example, if you configure
an MSS adjustment size of 42, you expect the MSS to equal 1458 (the
default MTU size minus the adjustment size [1500 - 42]). However,
the TCP packet has 4 extra bytes of IP options in the header, so
the MSS adjustment size (20+20+4) equals 44, which is larger than
the configured MSS adjustment size of 42. The resulting MSS is 1500-44=1456
bytes, smaller than you expected.