cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1287
Views
0
Helpful
1
Replies

FWSM MTU

njwhitworth
Level 1
Level 1

Hi,

We have a central site with 6509-E running 12.2(17r)SX7 with FWSM module running 4.0(15).  The FWSM has a thin client VLAN (200) and a thin client server backend VLAN (400) configured on it.  We have 2 remote sites with thin clients VLANs (200) which connect to the central site thin client backend VLAN via encrypted tunnels over MPLS connections (GRE within IPSec).

In order to support the remote sites encryption requirements we have configured the max MTU on the thin client server backend VLAN interface (400) to be 1420 bytes.  The imaging server NIC in VLAN 400 is set to an MTU of 1420.  We have also configured the GRE tunnel interfaces on the WAN routers with an MTU of 1420 bytes.

The thin clients download an OS image from a server in VLAN 400 using tftp initially and then TCP/80.  Thn clients local to the central site can consistently and successfully download and install an OS image from the server in VLAN 400. However, thin clients at the remote site consistently hang during the second stage (tcp/80) of the image download.  After running a wireshark capture on a local thin client during it's OS imaging process I noticed the following; the imaging server in VLAN 400 is sending packets of 1434 bytes in length back to the thin client during the imaging process.  I also noticed that during the imaging process second stage (tcp/80) that there are a large number of TCP previous segment lost, out-of-order, ACKed lost segment and duplicate ACK messages.

My questions are:

1) Why might the imaging server be ignoring the MTU set on it's own NIC and the MTU set on it's default gateway (interface VLAN 400 on the FWSM)?  We have to be able to reliably image thin clients on the remote sites and this issue my mean we miss our go live date.

2) Could the large number of TCP retransmissions be caused by the FWSM and be the reason that thin client imaging fails at the remote sites?

Any help would be very much appreciated.

Regards,

Nick

1 Reply 1

brquinn
Level 1
Level 1

1) If the FWSM attempts to forward a packet bigger than its configured MTU, it should fragment the packet. If the DF bit is set, however, it will drop the packet. What is the MTU set at on the FWSM interface? What is your tcpmss set to?   Ex: sysopt connection tcpmss 1380

2) Best way to troubleshoot this is to span the traffic on the switch on either side of the FWSM. Then check to see if the FWSM is changing the packets or passing them out of order. You can also enable the completion unit which ensure the FWSM forwards packets in the order which they were received. Ex: sysopt np completion-unit

If you can get simultaneous captures from the FWSM, can you upload them so we can take a look?

Thanks,

Brendan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: