meraki MTU

 You need to call meraki support to check and get MTU changed.

WAN MTU is 1500 by default

Auto VPN MTU is 69 bytes less (1431 by default)

If you call meraki to change MTU it should create a blip, they said full reboot not needed

-20 for TCP

-20 for IP

-8 for PPPOE

palo alto mtu

 https://docs.paloaltonetworks.com/globalprotect/5-2/globalprotect-app-new-features/new-features-released-in-gp-app/configurable-maximum-transmission-unit-for-globalprotect-connections

mtu issues in wireshark

Small packets are working like ping

TCP 3 way handshake is setting up

However when we move into setting TLS / https connection its failing. This can be the MTU is too big for the MTU on the path. The TCP window will scale up as the connection goes on.

Things to try:

tracert -d x.x.x.x

See what network devices you pass through and check the MTU on those. (if you can)

On the client:

ping –l 1490 -f 8.8.8.8

Reduce 1490 by 20 until you find a working value where the pings respond.

Remember the value when the ping command is working isn't the MTU but ICMP payload. This confuses a lot of people. MTU 1500 == ICMP payload 1472 (20 Bytes for IP and 8 Bytes for ICMP, I think). You can also check the MTU's on the path

PathMTU discovery is not reliable, will investigate MSS clamping, which can be enabled on your firewall / VPN endpoints.

CMD to check the MTU in windows

netsh int ipv4 show subinterface

CMD to set MTU in windows

netsh interface ipv4 set subinterface “Local Area Connection” mtu=1458 store=persistent

ASA should set MTU 1380 by default to account for IPsec tunnels

Palo needs to be configured

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113393-asa-troubleshoot-throughput-00.html#anc14

Cisco anyconnect - MTU-D packet 1200 bytes greater than effective mtu 986

MTU issues with anyconnect – traffic coming back in from outside as being dropped as it was too big

An error message like this was appearing in ASDM logs
MTU-D packet 1200 bytes greater than effective mtu 986

- conf t

- group-policy SSL--CLIENTS attributes

- webvpn

- anyconnect ssl df-bit-ignore enable

wr

disconnect/reconnect anyconnect and retest

This will ignore the defragmentation of the bits and it will allow the packets to pass through no matter of the MTU size.

enable jumbo frame on cisco 3850

conf t
system mtu 9198
wr
reload

Taken from cisco forums
The limitations of the platform in question would make no sense if system mtu routing would apply to routed ports, but at the same time would not apply to SVIs. The point here seems to be that the model line cannot fragment in hardware.  So to avoid that, it just makes sure every L3 interface (routed port  and SVI alike) has the same IP MTU, so there is never any need to  fragment a packet.
I've tested this in the lab using two 3560E chassis, trivially set up with the default VLAN, connected through Gigabit (so system mtu jumbo will apply) and then pinging each other's SVIs. Now let's configure the  following (using the maximum frame size the platform supports, there's  not much sense in limiting it here):
system mtu jumbo 9198
After rebooting, all physical ports running 1000Base or better will allow payloads of up to 9198 bytes to be encapsulated. The routing mtu will still be 1500 at this point. Try to ping one switch from the other like
ping 10.1.1.2 size 1500 df-bit
and it will succeed, but increasing size to 1501 will fail.
Now let's add:
system mtu routing 9000
to both switches and try again (no reboots needed). You will see that
ping 10.1.1.2 size 6000 df-bit
will suddenly work now, and the interface counters  will make clear that no fragmentation happens - it's really a single  6000 byte IP packet bouncing forth and back between the switches. That  works up to 9000, and starts failing at 9001, exactly as you would  expect.
Why is there a rumour that system mtu routing doesn't apply to SVIs? Probably because show interface of an SVI will show you an MTU of 1500 (or whatever your system mtu is), while the same command applied to a routed port will show 9000.  This seems to be a glitch, as so often with interface MTU in show  commands. More specifically, the show interface MTU is  supposed to be the potential payload MTU of the underlying physical  interface of that routed interface, and there are other cases where it  displays rubbish. One should always compare to the IP MTU as given by show ip interface. Et voila: The IP MTU of our SVI (as given through show ip int vl1) displays as 9000. So the succeeding ping is not a mystery and system mtu routing does exactly what it intuitively states: Change the IP MTU of every L3 interface of the platform.
I know this won't help in cases like the one discussed  here, where supposedly two L3 interfaces running at different MTUs are  needed. In such cases, one should first reassure that what's needed is  really that and there's no way to redesign the setup to avoid that (by  placing L3 and L2 boundaries appropriately). If there is no way around  that, the 3560 will likely have to go for something that has  per-interface IP MTU, like the 49xx or 4500X platforms.
Discussions about MTU often mix up different problems  and lead to chaos. IMO this is because two things are often not regarded  to the necessary extent by the participants:

1. There is not one MTU. When talking about MTU, always define  the layer you consider. That's often hard because you actually have to  think about a layer boundary, so two layers are involved. The mythical  1500 for instance is the L3 MTU on top of a classic L2 of the Ethernet  family. Things fundamentally change when you discuss L2 MTUs with regard  to some underlying L1 (but things are easier here, as L1+L2 are often  developed together as one technology, while the boundary between  technology layers and the network layer has more degees of freedom).
2. MTU  doesn't exist as such, but is an emerging concept. In other words, MTU  is what everybody in a system of communicating nodes (typically a  broadcast domain) thinks it is, with the emphasis on everybody.  In that sense it's like the IP network that lives on top of a broadcast  domain - it doesn't exist per se, but by convention of everybody using  that broadcast domain as a bearer for IP packets sourced from  non-colliding adresses from the same visibility range (aka prefix, aka  network and netmask, in ancient times aka subnet/subnetmask). MTU is a  convention as well, a single node just changing its MTU (up or down from  the convention, that is, what everybody else uses) is a recipe for  disaster. That's why you don't do it except you know exactly what you  are doing, and have the might to change it everywhere in a broadcast  domain (every involved intermediate network device and every end node).  It's viral. Luckily it's not as widespread as the viral issue of people  configuring ports full duplex because that's what they always did,  introducing duplex mismatches up and down and then telling you that as  obviously auto negotiation doesn't work, they will continue this  practice. You see the common scheme: Breaking a convention is a bad  idea, unless you are the sole dictator.