Imperva Cyber Community

communities_1.jpg
 View Only
  • 1.  Client can't connect TRP site via tunnel with default MTU 1500.

    Posted 07-07-2023 03:13
    Edited by tuan nguyen 07-07-2023 03:29

    Hi all,

    I have an issue with SecureSphere Gateway with our branches. They can't access to TRP site (transparent reverse proxy) with default MTU. Our branches connect to data center via SSL tunnel.

    We have 2 solutions:

    • Turn off TRP, GW won't process HTTPS traffic.
    • Reduce MTU on branch router or on Window, example 1412.

    Anyone know what is diffirent between TRP's and none TRP's MTU ? I think the packet after TRP has MTU bigger 1500 and other device like load balance is not support.

    PS: my GW use default MTU = 1500

    Thank you.


    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    tuan nguyen
    head of product development - fico
    Tien Phong Commercial Joint Stock Bank
    HA NOI
    ------------------------------



  • 2.  RE: Client can't connect TRP site via tunnel with default MTU 1500.

    Posted 07-10-2023 09:46

    Hi,

    Maybe you should increase MTU on GTWs.

    Try this:

    https://docs.imperva.com/bundle/z-kb-articles-km/page/9b0ff549.html



    ------------------------------
    Karol Gruszczynski
    IT Security Expert
    Trafford IT Sp. z o.o.
    Warsaw
    ------------------------------



  • 3.  RE: Client can't connect TRP site via tunnel with default MTU 1500.

    Posted 07-10-2023 21:16

    Hi,

    i already think about it but I don't think it will solve the problem. Because the clients can access non TRP site normally (also SSL traffic), so i think no problem between GW and client, just after GW unpack packet/connection, maybe it changed something make the MTU higher 1500, and load balance/backend dont support that MTU.

    Thanks,



    ------------------------------
    tuan nguyen
    head of product development - fico
    Tien Phong Commercial Joint Stock Bank
    HA NOI
    ------------------------------



  • 4.  RE: Client can't connect TRP site via tunnel with default MTU 1500.

    Posted 08-28-2023 09:56

    Hi @tuan nguyen,

    Do you resolve your problem?



    ------------------------------
    Thomas Dao
    Products Consultant
    M.Tech Products Pte Ltd
    Ha Noi
    ------------------------------



  • 5.  RE: Client can't connect TRP site via tunnel with default MTU 1500.

    Posted 08-28-2023 23:37

    Hi,

    Thanks for your attention, We haven't found root cause yet.



    ------------------------------
    tuan nguyen
    head of product development - fico
    Tien Phong Commercial Joint Stock Bank
    HA NOI
    ------------------------------



  • 6.  RE: Client can't connect TRP site via tunnel with default MTU 1500.

    Posted 25 days ago

    Hi  @tuan nguyen,

    My customer seems to have hit the exact same issue you describe.
    When TRP is enabled, the clients work fine, and the maximum packet length we see is 1414 Bytes.
    When TRP is enabled, the clients cannot reach the server, and the maximum packet length we see is 1514 Bytes.
    The gateway MTU is 1500.

    Did you manage to resolve the issue, and if so how?
    Any help would be much appreciated.

    Thanks,
    Roee



    ------------------------------
    Roee Sharon
    Information Security Engineer
    Poalim Trust Services Ltd.
    IL
    ------------------------------



  • 7.  RE: Client can't connect TRP site via tunnel with default MTU 1500.

    Posted 25 days ago

    Hi @tuan nguyen,

    I just wanted to follow up on this. Did you manage to find the root cause? If so, could you please share how you resolved this, was it related to GW MTU?

    Thank you!

    Aaron

    Imperva Support



    ------------------------------
    Aaron Perry
    ------------------------------