The other day, I was troubleshooting an issue where users reported that “some websites are working while some are not“. Uh. This is almost the worst scenario to face from a networker’s perspective. It’s way easier if things do or don’t work at all, but not this “some don’t” situation.
The scenario: Using Zscaler for outbound Internet connections, connected via a GRE tunnel from a Palo Alto Networks firewall. TL;DR: If it’s not DNS, it’s MTU. 😂 The “Suppress ICMP Frag Needed” option within the ICMP Drop section of the Zone Protection Profile did what it is meant to do: block “ICMP fragmentation needed” messages. Unfortunately, this killed *some* sessions which had the “Don’t fragment” bit set but exceeded the (lower) MTU of the GRE tunnel.
Troubleshooting such scenarios is quite awkward, since no log on the Palo GUI is helping. Neither the traffic log (connections are allowed) nor the threat log (no threat detected at all). You have to use either the well-known show counter global ... commands with some filters, or the show zone-protection ... information if you already suspect the zone protection to have its fingers in there, or some wild packet capturing and wiresharking. 😂 That’s what we did.
In the end, it was this “Suppress ICMP Frag Needed” within the Zone Protection Profile that was used on the *inbound* zone/interface from the client to the firewall. That is, this zone protection blocks *outgoing* ICMP destination unreachable – fragmentation needed messages that belong to previous *incoming* packets. Of course, we have disabled it again:
Here are some Wireshark screenshots from a now working connection. This is how the very first SYN packet appears on the wire: (Palo Packet Capture, transmit stage)
Here’s the whole session, showing the packet that was too big (1, later in the packet list due to an insufficient packet capture on the Palo itself, rather than with a real TAP), and two (!) ICMP destination unreachables – fragmentation needed messages (2, 3), lowering the “next-hop TTL” to 1400, respectively 1376 bytes:
Alternative Solution: Adjusting MSS
By the way: Another solution could have been adjusting the TCP MSS within the client’s interface on the Palo. The normal MSS = MTU – IP header – TCP header = 1500 – 20 – 20. But since a normal GRE header uses 24 bytes (another IP header with 20 bytes + GRE header of 4 bytes), the overall adjustment from the MTU should be 64 rather than the default of 40. (Same for IPv6, but now with an adjustment of 84 rather than 60.)
Disclore: I have not tested this approach yet. If anyone has, please write a comment!
The values would probably need to be adjusted further downward (i.e., a larger adjustment) if, for example, VLANs are used along the path or additional tunnelling mechanisms are in place. Test procedures would involve several lowering steps while capturing until no “ICMP fragmentation needed” errors are arriving anymore.
And I’m not even sure whether this approach would work or not, since the packet captures and screenshots above show that the client’s outgoing MSS was already quite low (1376), while the server still responded with exceeding payloads. 🤷🏻♂️
And this will only solve TCP problems, while the underlying problem of lower MTUs along the path is not solved.
Lessons Learned
- Path MTU Discovery (PMTUD) is still a thing!
- Blocking ICMP unreachables by default will break things. Allowing ICMP unreachables for previously allowed sessions is a best practice.
- Of course, gratuitous ICMP messages without formerly allowed connections that are sent from an attacker must still be blocked.
- The
show zone-protectionCLI command on a Palo helps troubleshoot IP connection failures that are beyond “denied by policy” or “detected threat”.
Further Reading/Watching
Soli Deo Gloria!
Photo by Nick Wright on Unsplash.
A true classic! My lasting policy since 25+ years:
1. it is never the firewall
2. it is always DNS
3. sometimes it’s MTU size
Besides that… GRE is good to spook kids at Halloween, but has no use beyond that. Get rid of it.
But sometimes it’s the firewall :)
https://blog.bressem.com/2025/11/palo-alto-is-missing-the-new-sectigo-root-cas/
Don’t terminate GRE on a firewall. It’s a security device first and not a router. And when it is a router, it can do limited stuff at best. No TCP adjust MSS and generally will break PMTUD.
Why shouldn’t we terminate GRE on a firewall? Is there any technical reason for that?
To my mind, GRE is quite easy (compared to IPsec), hence I don’t expect any security issues with it.
From a routing perspective, it’s just another tunnel interface that is used.
From a security perspective, it’s not relevant which technology is behind a tunnel interface (e.g., GRE or IPsec).
That’s just wrong recommendation.
Given the issue you were experiencing was specifically with TCP-based applications, I would encourage you to look at adjusting MSS clamping instead of lowering MTU. MSS only applies to TCP traffic whereas MTU applies to all IP traffic.
Take a look at some articles like this one (I co-authored):
https://developers.cloudflare.com/magic-transit/reference/mtu-mss/
The Cloudflare document is about Magic Transit which is a Layer 3/4 DDoS mitigation solution, but GRE is GRE. Setting MSS to 1436 would probably be ideal for your scenario.
Palo Alto offers an option to adjust MSS on the Advanced tab on any of your Ethernet network interfaces.
If it ain’t broke – don’t fix it.
Don’t listen to these guys ridiculing you for terminating GRE on a firewall. There’s legitimate use cases for landing GRE tunnels on a firewall just the same as there are for landing them on a router.
As someone that’s been working in the security business for many years – including the company that makes the firewalls you use, I can say that there’s plenty of organizations that can and do land GRE on their firewalls. Note that Palo Alto didn’t add support for GRE until PAN-OS 9.x timeframe. Why? Because there was an overwhelming number of enterprise customers clamoring for it.
Keep doing what you’re doing. I enjoy reading you r blog when time permits.