ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your organization has established an IPsec site-to-site VPN between its on-premises firewall and an AWS virtual private gateway. During performance testing, large file transfers (packets over about 1400 bytes) consistently fail, while small pings succeed. Packet captures show repeated ICMP "fragmentation needed" messages and no ESP packets larger than 1420 bytes. Which common IPsec deployment issue is most likely responsible for this behavior?
Phase 1 is configured for aggressive mode instead of main mode, leading to periodic re-authentication and packet loss.
Perfect Forward Secrecy (PFS) is disabled, so the reuse of keying material triggers replay protection and discards large packets.
The VPN is using transport mode rather than tunnel mode, so exposed inner headers are being filtered by intermediate routers.
ESP overhead causes packets to exceed the path MTU, and with the DF bit set they cannot be fragmented, so large packets are dropped.
Encapsulating an IP packet with IPsec ESP adds 20-70 bytes of header and trailer information. If the original packet is already near the path MTU (often 1500 bytes on Ethernet), the extra overhead pushes the frame size above the MTU. Because the original packet usually carries the Don't Fragment (DF) bit, intermediate routers cannot fragment the now-larger packet. They instead send ICMP Type 3 Code 4 ("fragmentation needed") messages, which many firewalls or hosts ignore. The result is that large packets are repeatedly dropped, while smaller ones pass. Lowering the MSS or enabling proper Path-MTU discovery on the VPN devices addresses the problem. Phase-1 mode selection, PFS settings, and tunnel-versus-transport mode choices do not cause size-related drops; they affect security strength or header exposure but not fragmentation behavior.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Path MTU, and why is it important in IPsec VPNs?
Open an interactive chat with Bash
What does the 'Don't Fragment' (DF) bit do in an IP packet?
Open an interactive chat with Bash
How can lowering the MSS help with IPsec VPN packet fragmentation issues?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Cryptography
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .