[vpn-help] No connect when configured for jumbo frames

[Kevin VPN]

On 10/28/2013 02:29 PM, Paul Theodoropoulos wrote:
> On 10/25/13, 11:18 AM, Thomas Stokkeland wrote:
>> If you are not doing SAN stuff, or very large file transfers within
>> the collision domain - enabling Jumbo is likely to cause a crappier
>> performance than leaving it at the standard 1500MTU - because, the
>> router or receiving device will tell the sender to fragment, your
>> packet will be split in half, this retransmit attempt will happen
>> several times till the MTU is met - then as the "knowledge" of this
>> expires your device will have to do that over and over.. causing a ton
>> of extra traffic on your network.. so, if you don't have a requirement
>> to use large MTU, then turn it off - i suspect there are mechanisms in
>> the vpn software that either ignores large packets (because they are
>> not to be routed) or just can't handle fragmentation at that level
>
> That makes sense - thanks for the explanation. I suffer the "If an
> optional value is bigger, it must therefore be better/faster/more, so I
> need to use it" syndrome.
>

Hi Paul,

Along with what Thomas said, a lot of firewalls simply drop fragmented 
packets (in general, not specific to jumbo frames).

When they do try to do reassembly, I've seen errors related to what 
essentially seems to checksum failures (bad SPI I think).  Furthermore, 
a bunch of fragmented packets will lead to a higher possibility of 
out-of-order or lost packets, which will could also mess up the 
reassembly process and will definitely negatively affect performance.