StoneBlog.stonesoft.com

If there is a link with a smaller MTU somewhere between the VPN gateways, the router connected to the link will send ICMP fragmentation needed message (type 3, code 4) as a response to ESP packets that have DF bit set and that are bigger than the MTU.

However, only the MTU information is stored on the firewall at that time but no ICMP error message is sent to the endpoint of the original connection.

When the host in the internal network sends the following packet, that’s when the firewall handling the connection will reply with the ICMP error message.

written by RoarinPenguin - 3,877 views \\ tags: engine, fragmentation needed, ICMP, VPN