Fragmentation problem

WhateverID · ‎01-29-2013

Good afternoon,

I would like to discuss fragmentation issues and how to spot them in Cisco IOS.

Here is setup:

2911 router that uses PPPoE connection to the ISP. As we all know, IP MTU value on the Dialer interface should be set to 1492 bytes value.

A little bit of theory: Since PPPoe link have lower MTU than an ordinary Ethernet link, all the applications should use PMTUD to adjust the size of the datagrams and avoid fragmentation of the traffic. However, let's assume that PMTUD doesn't work (firewall blocks ICMP traffic or drops packets with IP Options, etc). In this case unaware application starts to send segments with a payload of 1460-bytes. Our router recieves these packets and have to fragment them.

In my situation, if I use "ip tcp adjust-mss 1452" command everything works fine, since the router "force" the adjustment of MSS value in TCP sessions. However I want to understand what happens when I'm not intercepting SYN packets. For users it looks like HTTP stops working. Traffic analyzer showed that TCP has a lot of retransmissions, duplicate packets, etc. Also, I was surprised by the absence of any PMTUD mechanism in place (Ubuntu 10.10, Chrome). As expected, browser sends SYN packets with MSS field of 1460. However, sometimes web servers return SYN,ACK packets with MSS field lower than this (they do use PMTUD?) and page opens just fine. First of all I guessed that the problem is related to the fragmentation of the packets, however Wireshark doesn't show any fragments. So I looked at "show ip traffic" counters related to fragmentation of IP traffic and they are not incrementing. What does it mean? The router doesn't fragment the packets? What's happening than, if I know that packets are bigger than interface MTU? It just drops them...?

What do you guys think?

Thanks in advance!

Regards,

Igro

Joseph W. Doherty · ‎01-30-2013

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

If a packet is bigger than egress MTU, and if the packet isn't marked with the DF bit, the packet should be forwarded after being fragmented. (It's sometimes possible to also configure a device to not honor DF bit and fragment anyway.)

For a DF marked packet that requires fragmentation, device will drop the packet and notify the sender, via ICMP (again assuming device is honoring DF).

In theory, fragmented packets will reach destination and logically everything should work just fine. Practically, fragmentation can lead to all kinds of performance issues and sometimes logical processing issues.

In answer to your question what happens if mss-adjust is enabled, and it doesn't see the original TCP handshake, "normal" MTU rules apply. Remember what mss-adjust really does, just for TCP packets, it trys to insure no packet is transmitted that will actually exceed PMTU.

A possible answer to packet's with MSS less than 1460 without PMTUD, without it most TCP implementations will use a MTU of 576 for off local network traffic.

WhateverID · ‎01-30-2013

Sorry for not being clear enough. By "not intercepting SYN packets" I meant disabling "ip tcp adjust-mss".

I know what "ip tcp adjust-mss" does and it's working fine. What is interesting to me is what happens when I don't use it.

I do not understand why the router doesn't fragment the packets (show ip traffic doesn't show any increment of "fragment" counters).

P.S. Packet capture shows no evidence of DF bit being set.

Joseph W. Doherty · ‎01-30-2013

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

By "not intercepting SYN packets" I meant disabling "ip tcp adjust-mss".

I know what "ip tcp adjust-mss" does and it's working fine. What is interesting to me is what happens when I don't use it.

When adjust-mss isn't enabled, "normal" PMTU happens.

I do not understand why the router doesn't fragment the packets (show ip traffic doesn't show any increment of "fragment" counters).

It might only be accounting for the device's sourced packets, i.e. not transit packets.