Dropped Larger Packets Over PepVPN

Having some trouble with dropped packets over a PepVPN between a Balance 20X and a Balance SDX.

I am noticing that when I do an MTU test (pinging at different packet size) over the VPN I simply get dropped packets rather than a warning that says that the packet can’t go through.

Both routers are able to successfully get to the Internet through WAN with an MTU of 1500.

I know there is additional overhead with VPN due to encapsulation, but I am not familiar with how much overhead the PepVPN adds.

When attempting to send a 1344 byte packet it goes through and responds on the VPN, but a 1355 byte packet does not. (see pings at end of post)

Is there a way for the system to notify that this size packet is too large to be used or does that not occur because of fragmentation due to the VPN?

Or does it seem that the WAN MTU needs to be lowered to accommodate?

ping -f -l 1317
Pinging with 1317 bytes of data:
Request timed out.

ping -f -l 1316
Pinging with 1316 bytes of data:
Reply from bytes=1316 time=32ms TTL=126

ping -f -l 1473
Pinging with 1473 bytes of data:
Packet needs to be fragmented but DF set.

8.1.2 firmware adds an option to ignore the DF bit of packets. You can view the release notes here.

1 Like

Thanks for that update.

I also found in a separate post that the overhead is roughly 80 bytes. So my finding makes sense because the PepVPN uses the lowest MTU of all of the WAN interfaces (in my case a cellular connection).