10-18-2014 03:35 AM - edited 03-04-2019 11:59 PM
We had an issue recently where I work where an officer started having connectivity problems. This office has a VPN router with an IPsec tunnel to access the main network because they're located several hours away. (The hub router is a 3945, the office has a 2800 series router.) This worked fine for years but about a month ago with no changes to the network they started having issues with VOIP and web access.
While troubleshooting we adjusted the MTU on the workstation and found that it worked fine at 1380, but when we set the adjust-mss on the tunnel to 1380 it didn't work for all the affected computers.
We tried various settings on the adjust-mss and the ip mtu until we got one that worked, but if we went too high on the MTU we got message saying out setting was "higher than the current transport value of 1414, fragmentation will occur."
This was six lower than 1420, the IP MTU setting that was originally there. We dropped the ip tcp adjust-mss to 1374 and it worked.
It looks like the "current transport value" is what changed, but I can't find any way to see what the value is on either router and I don't know what goes into finding this value. Does anyone know the command to view it and what determines it?
10-21-2014 02:38 AM
You're making a confusion between MTU and MSS.
MTU = maximum IP datagram size the layer 2 can carry,
MSS = maximum TCP segment size.
On a usual Ethernet Link MTU=1500 bytes. MSS = 1500 - 20 (IP header) - 20 (TCP header) = 1460 bytes.
When using tunnels, you've got to take into account the added encapsulation. With GRE for instance (which I know better than IPSec), you've got 24 bytes more to take into account.
On a router, with a PPP interface with 1500 bytes MTU, if you enable GRE the GRE tunnel will have a MTU of 1476 bytes because each user datagram will receive an additionnal IP+GRE header (+24bytes).
MSS is then 1436 bytes (1436 + 40= 1476) and you can avoid IP fragmentation by setting tcp mss adjust to 1436 for tcp traffic (nothing can be done for big UDP packets).
Same thing with IPSec. Depending of the encapsulation (ESP, tunnel, transport...), you had X bytes of additionnal header.
On a WAN PPP interface having a MTU of 1500 bytes, a tunnel going thru the PPP interface toward its destination will detect a transport MTU of 1500 bytes (MTU of the outgoing transport interface, the PPP interface), and will set its own MTU at 1500 - X bytes (MTU of outgoing interface minus additionnal bytes of tunnel encapsulation). You can set mss adjust to Transport (here 1500) - (X) - (40).
Hope this helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide