VTI interfaces 21.05.x MTU MSS
-
XG7100 to SG2100 tunnels... Have successfully created a number of VTI tunnels from the 7100 to a number of 2100's (One to each remote site) and BGP routing working fine over them. Can happily ping and telnet to switches for example across all sites but other larger traffic (web connections to switches etc) fails - see Default deny rule IPv4 (1000000104) on IPSEC interface in firewall logs so thought asymmetric routing to start with but then thought actually probably MTU/MSS issue.
MTU on all VTI interfaces is 1500 by default, if I set one to 1400 (same on remote side VTI interface) then all VTI interfaces on 7100 show as MTU 1400 even though not set on any other interface... Still not able to pass all traffic unless I also set MSS to 1350 (will try other values as well as would have thought the default 1360 should do - unless it actually isn't setting that and needs to be manually set too).
So my particular issue seems fixable by manually setting MTU and MSS on the VTI interfaces (seems a bug though that out of the box traffic is unlikely to pass successfully and no mention in the docs of having to set MTU - although lots of similar reports here and also here for instance which is where I selected the specific values - https://www.reddit.com/r/PFSENSE/comments/nudjfu/ipsec_vti_no_traffic/) but surely setting MTU on one of the interfaces on the 7100 shouldn't affect all of the VTI interfaces on the same box?