The VPN Gateway will not set the WAN interface on a DHCP or PPPoE connection to an MTU smaller than 600 bytes even if specified smaller in AT&T Administration Server. This logic is required to support DHCP packets. The MSS will however always be set to the value specified in AT&T Administration Server.

The MSS reduction is implemented using an IPTABLES TCPMSS clamp forward rule. This rule controls the maximum segment size negotiated for a TCP socket when the socket is being connected through the VPN Gateway.

MTU values can also be specified on a per tunnel basis in the multi-tunnel profile information. This only affects the MTU value and the MSS value for the IPSec interface associated with that specific tunnel. The per tunnel MTU value must be smaller than the MTU size configured on the base profile minus the overhead associated with an IPSec tunnel. If the specified value is calculated to be too small, the value will be discarded by the VPN Gateway.

Dynamic MTU control allows the VPN Gateway to automatically set the MTU size based on available line speed.

This is necessary for the Voice DNA Remote Worker service where a small MTU size is required on low-speed lines for good voice quality, but limiting all users to a 600 byte MTU negatively impacts their download performance. If the appropriate configuration is set in AT&T Administration Server for dynamic MTU control, the lowest value of the upstream and downstream bandwidth measurement taken will determine which MTU size to use. Normally the following values will apply:

When the upstream bandwidth is measured at anything less than 256Kbps, the MTU size is set to 540. From 256Kbps up to (but not including) 384Kbps it is set to 600 if there is a tunnel configured or 700 if there is no tunnel.

The VPN Gateway will not set the WAN interface on a DHCP or PPPoE connection to an MTU smaller than 600 bytes. This logic is required to support DHCP packets. The MSS will always be set to the determined value.

The VPN Gateway can be set to ignore the Do Not Fragment flag on incoming packets. Some applications ignore the negotiated MSS size and send packets too large for the WAN interface and would therefore otherwise be blocked. By setting the flag to ignore the DF flag, the VPN Gateway will go ahead and fragment the IP packets so they fit in the packet size available on the WAN interface.