PIX: Different MSS size for different protocols??

abatson · ‎05-11-2004

I've just run some tests by doing large FTP transfers while looking at the packets with a sniffer. Why would IPsec traffic end up being a different size than the normal FTP traffic?--->

FTP transfer thru the PIX, with no tunnels, (straight TCP)

Data=1380 Total size (IP)=1420

mss in the PIX is set to 1380, so the above numbers make sense. However:

FTP transfer thru an IPsec tunnel, terminated against the same PIX:

Data=1332 Total size (IP)=1352

For a control test, I turned around and did a large file transfer via FTP, from an internet site. Laptop is plugged in outside of the PIX, so this is a raw-to-the-Internet connection.

Data=1460 Total size (IP)=1500

Question: What causes the mss and the total size of the IPsec packets to be different from the PIX's mss setting? My laptop is set for an MTU of 1500

ehirsel · ‎05-11-2004

Are you using a vpn client for the IPSec connection on the same host that initiates the ftp session? If so, what client are you using, and what does it think that the mtu is? It may be that the mtu on the client is doing its own adjustment.

Look to see if you are using GRE/PPTP on top of IPSec - if so then there is 24 bytes additional overhad for gre/pptp.

Let me know what you find.

abatson · ‎05-12-2004

I'm using Cisco's VPN client - I used the "set MTU" utility with that application, to set the MTU to 1500 for every interface it showed, however it had not effect. My MSS is always 1332, and the max. size of the IP packet total, is 1352 (20-byte header)

If it means anything, I've got PPTP VPN set up on this PIX as well, and when I do a large FTP transfer thru that GRE tunnel, I get mss of 1420, and max. IP packet size of 1440

-Alex

ehirsel · ‎05-12-2004

For the pptp and IPsec tests: Were you running the trace between the pix and the pptp client? Or between the pix and the ftp server (or client - which ever host is behind the pix). The reason I ask is that I still expect the pix and the ftp host to use 1420 ip max and 1380 user data max. frames; since the pix mss is still set to 1380.

abatson · ‎05-12-2004

The tests I was running were an FTP transfer between the GRE & IPsec client, and the FTP server, protected by the PIX. The packet were traveling thru the PIX. My test laptop was on the segment on the Outside Interface, and the FTP server is off the segment on the Inside Interface...

ehirsel · ‎05-12-2004

I am thinking that the 48 byte difference between the ipsec and the cleartext ftp tests (1380 - 1332 = 48) is that the ipsec traffic is flowing over a pptp/gre connection (24 bytes for gre plus 20 more for an ip header).

What type and version of the vpn client are you using, and what os is it running on? Can you double check the vpn client config and make sure that no extra tunneling, other than ipsec is done, during your ftp test? Have you made sure that the pptp tunnel was torn down before running the ipsec ftp test? Also, make sure that ipsec is not flowing over pptp.

abatson · ‎05-12-2004

I'm using the Cisco VPN client, 4.0.3 I belive. Also, how do I know if I'm using a GRE tunnel over IPsec? Otherwise, I'm certain that I turn off the PPTP (GRE) before doing my IPsec test. Since I'm testing both PPTP and IPsec, I'm very aware of which one I have up at a given moment. My OS is Windows2000 Professional, SP4.

-

Alex