Topic Thread

Changing MTU on one spoke tears down ALL tunnels?

  • 1.  Changing MTU on one spoke tears down ALL tunnels?

    Posted 11-08-2016 04:02

    I changed the MTU to 2000B (mtu-override) on wan1 port on a FG60D that connects to a FG1200D cluster with IPSEC. The config of the spoke is not changed. I did not expect anything to happen since I only changed one end, except maybe the IPSEC tunnel flapping. But after some seconds I suddenly got 1922B through with DF-bit set. So - IPSEC tunnel is apparently working.

    Kind of weird, since the hub has no MTU config?

    I use one phase1 and 5-6 phase2 per spoke, and have around 100 spokes. Another weird thing is that all other phase2 in this hub-and-spoke setup ALSO flapped. That is, changing MTU on ONE SPOKE tears down ALL TUNNELS? Can this be right?

    Running 5.2.7.