MTU ISSUES / MPLS

petersrule2003 · ‎09-12-2011

Hello ,

I run mpls in the core of my sp network. I am having some customers who complain that they cant access yahoo , hotmail from the mpls platform .

(The complains come from my some of my ISP customers customers , my ISP customers work fine from their network )

But on my non mpls platform , i dont have any issues whatsover.

I have narrowed it down to mtu issues . But i am not sure where to fix it.

The customers are connecting on me3400 switch and they get IP from a subinterface on asr 9k.

Customers connecting directly on my asr9k dont have the issues accessing the sites whatsoever.

Has anyone faced a similar issue , please advise.

Rgds

Ivan Krimmel · ‎09-12-2011

Hi Peter,

to start with please do provide a network topology and please explain how and where you have identified this to be an MTU issue.

Also, what is special with Yahoo and Hotmail? are there any other affected websites? Youtube for instance works fine or not?

if customers, directly connected to the ASR9K do not have issues, then obviously it should be something downstream.

Juraj Podhajecky · ‎09-20-2011

Hi Peter,

you can simply verify whether this is a really MTU issue. Just add "ip tcp adjust-mss 1200" command to any L3 non MPLS interface, f.e. PE-CE interface.

MSS (maximum segment size) is negotiated during tcp establishment (3-way handshake). By using the command, router modifies the maximum segment size in 3-way handshake packets thus peers involved in the communication will never produce tcp segments exceeding the size configured in the command. Having smaller tcp segments you will also have smaller IP packets which should not exceed default MTU of 1500 B.

1200 (tcp segment) + 20 (normal tcp header) + 20 (normal IP header) + 12 (MPLS - 3levels deep stack) < 1500

TCP SYN:

TCP SYN-ACK:

You can find more about TCP MSS adjustment here:

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ft_admss.html

BR

Juraj

Luc De Ghein · ‎09-25-2011

Hi Peter,

Make sure to have read the following:

http://www.cisco.com/en/US/partner/docs/ios/12_2sb/feature/guide/newmtu.html

Now, perhaps the issue is related to Path MTU Discovery (PMTUD), which would explain that only some sites are impacted. You could try to ping with full MTU size, and see if you get ICMP replies back or not.

The following page explains PMTUD (in the case of IPSec tunneling) rather well. Have a look at it.

Thanks,

Luc

Juraj Podhajecky · ‎09-26-2011

Hi Luc,

that link is available only for partners :-(

The problem of PMTUD is that it relies on ICMP (Type 3, Code 4), which is denied on majority of FWs :-(. And security guys will not allow you to permit this type of traffic because of many attacks based on this feature.

It is much easier to decrease the MTU or set DF bit to 0 on the testing PC.

http://www.cisco.com/en/US/tech/tk870/tk877/tk880/technologies_tech_note09186a008011a218.shtml

j.

PMTUD

Luc De Ghein · ‎09-26-2011

Hi,

I mentioned that link in order to show the explaination on how PMTUD works and why this can be related to some sites not working. Indeed, ACLs and FWs typically block the ICMP messages needed to make PMTUD work. The best solution is to lower the MTU at the edge of the network to make sure all traffic gets through. Many do not want to do this and go for adusting the mss. That will work too, but only for TCP traffic.

Thanks,

Luc