Security

 View Only
last person joined: 11 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

MTU size in AWS

This thread has been viewed 63 times
  • 1.  MTU size in AWS

    Posted Jul 08, 2022 03:27 AM
    Hi,

    I read in docs that configure mtu command is removed. We are doing a multi-region deployment and default MTU value is 9001. How can we change it to 1500?


  • 2.  RE: MTU size in AWS

    Posted Jul 08, 2022 08:36 PM
    This is handled 100% by the Azure networking subsystem. This would be a question for Microsoft. What issues are you experiencing?


  • 3.  RE: MTU size in AWS

    Posted Jul 11, 2022 03:48 AM
    I was looking at this post:

    https://community.arubanetworks.com/blogs/esupport1/2018/01/03/cluster-join-stuck-at-retaining-local-node-certificate

    I have the same issue but I'm also suspecting a certificate issue so need to check  that first.


  • 4.  RE: MTU size in AWS

    Posted Aug 01, 2024 01:11 PM

    Did you ever get an answer for this? We're using AWS gateway load balancer with security appliances and are running into issues with clearpass traffic being dropped as it traverses the gateway load-balancer service and hits the appliances (since intermediate AWS infrastructure won't fragment traffic).




  • 5.  RE: MTU size in AWS

    Posted Aug 02, 2024 10:23 AM

    What is the traffic that's being dropped?

    TCP should be good, UDP (RADIUS) may be an issue, but that can be resolved with EAP fragmentation settings on ClearPass and your network devices.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 6.  RE: MTU size in AWS

    Posted Aug 02, 2024 11:26 AM

    Hi Herman!

    In this case, it's the initial TCP connection used to pull in a new server as a subscriber in the cluster. I've performed packet captures on both the new subscriber and the publisher and can validate that the publisher is receiving the initial TCP connection setup traffic, but the TLS response from the publisher containing the server certificate is silently dropping on the intermediate return path.

    Further context, our traffic path is VPC -> aws transit gateway -> aws gateway loadbalancer -> palo alto security appliances

    The AWS gateway loadbalancer encapsulates traffic using GENEVE before sending to our palo alto firewalls, and I believe this is where the issue is happening. The firewall has an MTU of 1500, while ClearPass default is set to 9001. Because AWS is capable of supporting the larger MTU on intermediate infrastructure, fragmentation is not occurring, and the gateway loadbalancer does not support PMTUD. Large frames are encapsulated by the gateway loadbalancer, hit our firewall appliances (which only support MTU of 1500) and the firewall drops the traffic.

    We are trying to avoid adjusting the MTU on our palo alto appliances to avoid causing other issues. So far, clearpass is the only appliance we have encountered that does not allow for the adjusting of MTU.




  • 7.  RE: MTU size in AWS

    Posted Aug 05, 2024 08:43 AM

    I'm not sure if the same option works for AWS, but on the ESXi VM you can set the MTU through the cli:

    [appadmin@cppm.nl.arubalab.com]# configure mtu
    
    Usage:
        configure mtu <mgmt|data> <mtu-value>

    You may try if that works and resolves your issue. From what I understand, and read from PMTU is that modern TCP stacks assume that if (large) packets are lost, that it may be because of MTU limits, even without receiving an ICMP message. But encapsulation can indeed result in issues, especially if there are stateful devices in-line that don't support PMTU.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 8.  RE: MTU size in AWS

    Posted Aug 05, 2024 01:57 PM

    That MTU command appears to no longer be available at least on 6.11 ClearPass in AWS. Would you happen to know if Aruba support is able to adjust MTU via root access to the system or is that something they would not be willing to do?




  • 9.  RE: MTU size in AWS

    Posted Aug 06, 2024 10:35 AM

    I don't have an AWS ClearPass, so I can't check it. When reading back the discussion to the top, there is a statement that the mtu command is removed (assume it's specific for AWS/Azure); and a response that IP and MTU is managed from AWS/Azure, and ClearPass just follows that.

    You may check with TAC to see if they have more experience on this.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------