ZEN MTU - Specifically relating to UDP

Hi Guys,

Rather arcane question, but was wondering if any of the Zscaler folks have any idea what the MTU is on the ZENs? We’re seeing IPSEC return packets coming back from the ZENS for UDP traffic with a total packet size greater than 1500 bytes, which when the IPSEC/IP headers are added causes the total packet to be greater than 1500 bytes causing fragmentation. By decoding the reassembled packets we can see:

  • Data == 1444
    • UDP Header == 1452
    • IP Header == 1472
    • ESP Header == 1480
    • UDP Header == 1488
    • IP Header == 1508

We’re not sure if this is intended behavior or whether we should expect the ZENs to be fragmenting UDP packets within the tunnel, rather than transmitting a jumbo encapsulated frame and having it fragmented in path. Obviously this isn’t an issue for TCP data as MSS prevents jumbos, and because it’s return traffic the customer doesn’t really have any way of influencing it.

Our support guys have raised a ticket in parallel, but didn’t know if anyone had run into this in the past.

Hi Andrew,
You may be seeing ESP fragmentation. We would be sending the data as two ESP packets and when you decapsulate the packet, your device will see the complete UDP packet and then your device may be fragmenting it and sending across to user machine.

Regards,
Prajith