Re: VPN Client MTU

xzevallos · ‎06-14-2006

In the release notes for Cisco VPN Client 4.0, it recommends to decrease the MTU size on the client side if you experience problems with certain applications (default MTU is 1300). Could someone please explain the issue in detail and why decreasing the MTU works in this case?

Marvin Rhoads · ‎06-14-2006

1300 sounds pretty low already. Are you sure it's not 1500? In any case, the issue is summarized in the following tech note:

The IP protocol family was designed to use a wide variety of transmission links. The maximum IP packet length is 65000+ bytes. Most transmission links enforce a smaller maximum packet length limit, called maximum transmission unit, or MTU, which varies with the type of the transmission link. The design of IP accommodates link packet length limits by allowing intermediate routers to fragment IP packets as necessary for their outgoing links. The final destination of an IP packet is responsible for reassembling its fragments as necessary.

For example, the MTU for the most common encapsulation of IP over an Ethernet transmission link (RFC 894) is 1500 bytes. By convention the MTU includes the entire IP datagram, including all IP headers, but excludes link encapsulation headers. The extra link-level headers for the RFC 894 encapsulation comprise 18 bytes, for a maximum Ethernet frame size of 1518 bytes.

In theory fragmentation should be at worst a fairly minor performance issue, but in practice it can lead to a complete inability to communicate using long packets. Path MTU discovery, a common technique for avoiding fragmentation that is discussed below, can fail catastrophically.

A TCP connection has two ends, and fragmentation could occur in either direction. Two factors limit the maximum TCP packet length in each direction: the MTU of the source computer's outgoing interface, as seen by its IP stack, and the Maximum Segment Size (MSS), if any, that was announced by the destination computer during TCP setup. (MSS numbers are normally 40 bytes smaller than MTU numbers, since MSS excludes the 20-byte IP header and 20-byte TCP header.)

IPSec can make fragmentation problems worse, because it lengthens each IP packet by one, or possibly two, IP headers. These added headers vary in length by choice of IPSec protocols (and whether IntraPort's "NAT transparency" is also in use), but empirically they do not exceed 80 bytes per packet. For the most common encapsulation of IP over Ethernet, the standard MTU is 1500 bytes. But if an application emitted a 1500-byte packet that needed to travel though an IPSec tunnel, the added IPSec headers would require fragmentation of each packet. A good technique (the best technique, really) of avoiding fragmentation with IPSec is reducing the interface MTU that applications and the IP protocol stack see on both ends of the TCP connection. If the applications and the IP protocol stack think the interface MTU is 1420 bytes or less, they will not emit packets that need to be fragmented after IPSec encapsulation for transport through Ethernet-size-capable routers and links.