Hi,
Thanks for the reply.
Issue being faced is some HTTP application has DF=1 (Dont Fragment) in the IP header and the traffic is being dropped midway to the destination. If the inner DF-bit is not copied to the outer header in IPSec, ICMP Type 3 Code 4 is not transmitted back to the source by the SRX and traffic is getting dropped.
After adding"set ipsec vpn xxxx df-bit copy" to the IPSec tunnel config, ICMP Type 3 Code 4 is being relayed to the source, allowing for TCP window resizing. Very often ICMP is filtered and relying on ICMP Type 3 Code 4 is not what we want in this case.
Before, copying the DF bit from inner to outer header :-
When we send ICMP with DF=0 and large sized packets, fragmentation is happening and we are receiving the ICMP replied.
When we send ICMP with DF=1 and large sized packets, no ICMP replies being received.
This indicates that when DF=0 for large packets, fragmentation is happening and working correctly.
Was looking for some solution where the original DF bit in the IP header can be cleared.