Configurations on edge devices
This section details the configurations you need to carry on edge device using the details from the Forcepoint ONE SSE portal.
page inFollowing diagram illustrates the example configurations. You need to use actual configurations to setup tunnels on your edge devices.
Maximum segment size (MSS)
The encapsulation overhead of the GRE tunnel means that TCP sessions sent over the tunnel must be limited to a lower Maximum Segment Size (MSS) than usual. Most TCP clients will propose an MSS value of 1460 bytes when connecting over an Ethernet network. The GRE encapsulation overhead comprises 24 bytes (4 bytes for the GRE header, and 20 bytes for the inner IP header).
TCP clients must use an MSS value of no more than 1436 bytes for GRE. This can often be achieved by using the MSS clamping feature of a firewall or router to ensure that any TCP traffic sent down the GRE tunnel is limited to an MSS value of 1436.
Where the WAN connection to the Forcepoint data center is using the IPoE or PPPoE protocol, the MSS value may need to be lower still, to account for the encapsulation overhead of the WAN connection.
To display the current MSS setting for your tunnel interface, use the appropriate show interface
command on your edge device.