topic Re: Wireless client MTU/MSS Issues over IPSEC vpn in Wireless

Wireless client MTU/MSS Issues over IPSEC vpn

Jerome_N8 — Mon, 05 Jul 2021 06:57:45 GMT

Hi,

I'm having some issues with setting up a Guest SSID on a Lightweight AP using H-Reap mode.

The issue is that the clients won't load the Guest Web Login page unless I manually reduce the mtu size on the client, eg from 1500 to 1300.

I'll try and give an overview of the setup:

Wireless client ---> Lwap ---> 3750 ---> 1800 ---> VPN Tunnel ---> ASA ---> 6500 ---> WLC

What I'd like to know is if there's anyway that I can make all the packets for this particular guest wireless vlan go through the vpn with a smaller mtu?

I've tried setting the ip tcp mss-adjust on the 1800 router but it doesn't seem to have an effect.

Any help greatly appreciated

Thanks

Wireless client MTU/MSS Issues over IPSEC vpn

Saravanan Lakshmanan — Tue, 14 Jan 2014 17:22:22 GMT

Enable tcp mss on APs from WLC. config ap tcp-mss-adjust enable all.

default is 1363, if it does not work keep reducing.

Wireless client MTU/MSS Issues over IPSEC vpn

Jerome_N8 — Tue, 14 Jan 2014 17:41:16 GMT

Hi Saravan,

I tried this already and I don't think it works in H-Reap mode, when I make the adjustment I don't see this reflected in the packets in wireshark. They remain as 1390 from the WLC and 1460 from the client.

If I reduce the mtu on the client directly to 1300 I see the packets from the client with MSS 1260 and this works perfectly, but obviously I'm not able to manually reduce the mtu on every client that will connect to this guest network.

Any other ideas?

Re: Wireless client MTU/MSS Issues over IPSEC vpn

Saravanan Lakshmanan — Tue, 14 Jan 2014 20:29:54 GMT

is it hreap local or central switching. central switching may still use tcp-mss.

with hreap local switching, on AP you can reduce the MTU size. but the setting doesn't sustain AP reboot.

Telnet/SSH/Console to AP to change the MTU to desired Bytes:

debug capwap con cli

config t

int gi0

mtu 1500

int bvi1

mtu 1500

Note: This workaround does not survive an AP reboot, and must be reapplied if the AP is rebooted.

other Workrounds: Alternatively MTU size can be trimmed on the wireless client Ex:1200 bytes or On an upstream IOS router, which is between the client and the wired network, use "ip tcp adjust-mss", if unable to do these try setting "ip mtu" on the wired VLANs' default router interfaces.

Wireless client MTU/MSS Issues over IPSEC vpn

Jerome_N8 — Wed, 15 Jan 2014 12:35:26 GMT

I've tried all of the above and none of them work, it seems like nothing is adjusting the mtu size, the only thing that works is adjusting it manually on the pc.

I've tried setting the vlan on the switch for the guest network to 1300, setting the gi interface on the access point to 1300, and tried setting the mtu/mss on the router interfaces to 1300.

I previously had this working without using h-reap by setting the mss to 1300 on the WLC but then their guest traffic was routing through our main office which was proving to be unstable.

Wireless client MTU/MSS Issues over IPSEC vpn

Saravanan Lakshmanan — Wed, 15 Jan 2014 13:23:57 GMT

are hreap local switching possible.

what is the model of AP, WLC and code.

tcp mss applicable only on tcp over mss. try setting tcp mss to 1200.

or set mtu on AP to 1250 or below.

open TAC case, if above does not work.

Wireless client MTU/MSS Issues over IPSEC vpn

Jerome_N8 — Wed, 15 Jan 2014 16:14:45 GMT

AP = AIR-LAP1262N-E-K9

WLC = 4402

Version = 7.0.98.218

When you say try setting tcp on mss to 1200, on which device should I try that?

Re: Wireless client MTU/MSS Issues over IPSEC vpn

Saravanan Lakshmanan — Wed, 15 Jan 2014 16:30:08 GMT

on top of actual ip - capwap, vpn header adds up.

it is good to have the setting on device close to AP and nice to set on all intermediate devices.

did you try to reduce mtu/mss on vpn.

if old AP models with central switching or local mode AP not seeing this issue then its possible 126X running a bug. incorrect DF bit set could be an issue.

7.0mr5 is out, try on it.