ip tcp adjust-mss issue with MS AD

paul amaral · ‎11-09-2021

Recently I started upgrading 1900 routers (IOS Version 15.5(3)M5)) to C1161X-8PLTEP (IOS Version 17.3.3) . The config from the 1900 to the 1K ISR stayed almost the same, it was mostly a copy and paste.

I’m using DMVPN to connect over 20 branches to 2 NHS hubs. The problem I ran into is that on the new 1K ISR routers I was having issues with branches connecting and authenticating to MS domain controllers. When connecting to RDP and authenticating to MS DC it would take a long time to authenticate and most of the time it would just time out, other services seemed fine.

I was able to trace the problem to the max segment size on the DMVPN tunnel. I have ip tcp adjust-mss 1360 with a 1400 MTU on the 1900 routers but when adding this to the 1K ISR we run into problems described above. The solution was to remove ip tcp adjust-mss 1360.

For whatever reason something that was working on the 1900 is not working properly on the ISR. I have tried to troubleshoot this using cisco packet capture to look at syn packets and try to understand what is happening but I don’t see anything jumping out at me, I did look only on the router and didn’t import the cap to wireshark.

I understand that setting the ip tcp adjust-mss will overwrite the desired host MTU on the SYN packets to the one configured on the router, in this case MSS 1360. I have tried to set this as low as 500 bytes but that did not work either. The problem only goes away when I remove ip tcp adjust-mss. I have looked for bugs on the ISR IOS version and found nothing. I’m stumped as to why something was working on the 1900 router but doesn’t work after upgrading the router with the same config.

Is there something I can do to debug this or use embedded packet capture with specific ACLs? I would really like to see what is going on as I’m assuming this is not a bug.

Any ideas would be great.

TIA, Paul

cisco C1161X-8PLTEP

Cisco IOS XE Software, Version 17.03.03

Cisco IOS Software [Amsterdam], ISR Software (ARMV8EL_LINUX_IOSD-UNIVERSALK9-M), Version 17.3.3, RELEASE SOFTWARE (fc7)

ROM: 16.12(2r)

interface Tunnel500

ip mtu 1400

tunnel path-mtu-discovery

tunnel source GigabitEthernet0/0/0

tunnel protection ipsec profile ipsec_prof_shared

end

Gig/0/0:

MTU 1500 bytes, BW 20000 Kbit/sec, DLY 10 usec,

Tunnel 500:

MTU 9972 bytes, BW 20000 Kbit/sec, DLY 50000 usec,

Path MTU Discovery, ager 10 mins, min MTU 92

Tunnel transport MTU 1472 bytes

--

CISCO1941/K9

Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.5(3)M5, RELEASE SOFTWARE (fc1)

The gig0/0 interface has an MTU of 1500

Tunnel 500:

MTU 17912 bytes, BW 50000 Kbit/sec, DLY 50000 usec,

Path MTU Discovery, ager 10 mins, min MTU 92

Tunnel transport MTU 1472 bytes

On the 1900 I have,

interface Tunnel500

ip mtu 1400

ip tcp adjust-mss 1360

tunnel path-mtu-discovery

tunnel source GigabitEthernet0/0/0

tunnel protection ipsec profile ipsec_prof_shared

end

While on the 1K ISR I have

interface Tunnel500

ip mtu 1400

tunnel path-mtu-discovery

tunnel source GigabitEthernet0/0/0

tunnel protection ipsec profile ipsec_prof_shared

end

pieterh · ‎11-11-2021

1360 +20+20 = 1400
but don't you need to calculate the tunnel header ?

Configuring TCP MSS Adjustment (cisco.com)

calculates:

In most cases, the optimum value for the max-segment-size argument of the ip tcp adjust-mss command is
1452 bytes. This value plus the 20-byte IP header, the 20-byte TCP header, and the 8-byte PPPoE header add
up to a 1500-byte packet that matches the MTU size for the Ethernet link.