MTU propagation is an optional feature that allows the system to listen for fragmentation-related ICMP error message received from the public side of the tunnel. These error messages include:
ICMP Destination Unreachable message "fragmentation needed and DF set" (type 3, code 4)
ICMPv6 Packet Too Big message (type 2)
The suggested MTU value in the ICMP message is used to derive two MTU values:
Temporary public MTU (TMTU) are determined as follows:
The TMTU starts with a configured encapsulated-ip-mtu octets value.
If the received MTU is less than 1280 and it is from an ICMPv6 packet, the received value is ignored.
If the received MTU is less than 512 and it is from an ICMP packet, the received value is ignored.
If the received MTU is greater than or equal to the configured encapsulated-ip-mtu octets value, the received value is ignored.
If the received MTU is greater than or equal to the current TMTU, the received value is ignored.
If the received MTU is less than the current TMTU, it replaces the current TMTU.
To prevent attack and rapid change, there is a damp time of 60 seconds after a new TMTU value is set. Within that time frame, all received MTU values are ignored.
TMTU has a lifetime timer (configurable with an aging interval). When the lifetime timer expires, the TMTU’s value is reset to the encapsulated-ip-mtu octets value. The lifetime timer resets whenever a new TMTU value is set.
TMTU is a per tunnel value.
Temporary private MTU (TPMTU) equals TMTU – Tunnel_Encap_Overhead.
TPMTU is a per CHILD_SA value.
Tunnel_Encap_Overhead is a fixed value for a non-IPsec tunnel-per-tunnel type. For an IPsec tunnel, its value is the maximum overhead based on the ipsec-transform transform-id value used by the CHILD_SA.
TMTU and TPMTU are used in the following cases:
TPMTU is used for fragmenting IP packets received on the private side instead of the configured IP MTU.
IKEv2 message fragmentation uses TMTU instead of the configured encapsulated-ip-mtu.
IKE IP packet fragmentation uses TMTU instead of the configured encapsulated-ip-mtu.
To derive the TCP MSS value for the TCP MSS adjustment, instead of configured encapsulated-ip-mtu.
ESP packet fragmentation (post-encapsulation fragmentation) does not use TMTU; it only uses the configured encapsulated-ip-mtu octets value.
To enable this feature, configure the propagate-pmtu-v4 and propagate-pmtu-v6 commands under the ip-tunnel, ipsec-tunnel or tunnel-template contexts.