ip tcp adjust-mss - Main AND sub interface?

estein · ‎11-16-2010

I know that I need to configure the ip tcp adjust-mss command on one of my router's sub interfaces. It appears that I can ONLY configure it on this particular sub interface if I want, without also configuring it on the main interface. My question is... do I need to define it on the main interface as well, or is the sub interface config sufficient? I can't find any documentation to help me answer this. Thanks!!

interface GigabitEthernet0/0

description LAN int

no ip address

ip tcp adjust-mss 1320 <<< Do I need this??

duplex auto

speed auto

no cdp enable

!

interface GigabitEthernet0/0.1

description Dot1Q interface for SafeNet

encapsulation dot1Q 1 native

ip address y.y.y.y 255.255.255.0

ip tcp adjust-mss 1320 <<< Where I know I need it configured.

no cdp enable

!

interface GigabitEthernet0/0.2

description Dot1Q interface for Acc Subnet

encapsulation dot1Q 171

ip address x.x.x.x 255.255.255.248

no cdp enable

Richard Burts · ‎11-16-2010

While it would not hurt to have the command on the main interface you do not need to have it on the main interface. It is sufficient to have it on only the subinterface (as long as that subinterface is the only traffic for which you need to control the tcp mss).

Since there is no IP address on the physical interface and since the native VLAN is configured as the subinterface, there will be no packets received on the main interface and this is the reason why you do not need the command on the main interface.

HTH

Rick

HTH

Rick

iantolko974 · ‎11-19-2010

Hi I just run into this tread as I am also trying to resolve some mss issues.

I also have configured subinterfaces for different leased lines and have VPN on each.

Now I have to adjust mss on one of the subinterfaces to 1360. Altough command is accepted it looks like the roter does nothing regarding mss during inicial handshake. In one of the cisco documents that this command was enhanced to be configurable on subinterface since 12.2(28). I am running 12.4.(20) so that shouldn't be a problem.

Oh, yes and mss is succesfuly adjusted on the other end - partners router.

Do I have to confure mms on main interface also or am I missing something?

Here is the configuration:

interface FastEthernet0/0
description TTT
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex full
speed 100
no mop enabled
!
interface FastEthernet0/0.1
description RRR
encapsulation dot1Q 681
ip address 192.168.68.1 255.255.255.252
ip access-group RRR in
no cdp enable
crypto map VPN-RRR
!
interface FastEthernet0/0.2
description ZZZ
encapsulation dot1Q 684
ip address 192.168.68.5 255.255.255.252
ip access-group ZZZ in
ip tcp adjust-mss 1360 << set on subinterface only
no cdp enable
crypto map VPN-ZZZ

Packet capture shows that mss was not changed: (partner initiates communication and has corrct mss)

No. Time Source Destination Protocol Info
125 2010-11-19 12:42:04.425515 192.168.65.164 192.168.63.85 TCP 1025 > 9707 [SYN] Seq=1733670344 Len=0 MSS=1360

No. Time Source Destination Protocol Info
126 2010-11-19 12:42:04.427071 192.168.63.85 192.168.65.164 TCP 9707 > 1025 [SYN, ACK] Seq=3774345480 Ack=1733670345 Win=16384 Len=0 MSS=1380

No. Time Source Destination Protocol Info

127 2010-11-19 12:42:04.430382 192.168.65.164 192.168.63.85 TCP 1025 > 9707 [ACK] Seq=1733670345 Ack=3774345481 Win=65535 Len=0

Thank you for any input.

Ivica

Peter Paluch · ‎11-19-2010

Ivica,

Where did you capture these TCP segments? The change to the MSS indicated by 192.168.63.85 would be visible only after this segment went through the subinterface using the ip tcp adjust-mss command. If you captured the segment before it traversed the subinterface then the MSS is not supposed to be modified.

Best regards,

Peter

iantolko974 · ‎11-19-2010

Offcorse... I captured packet BEFORE subinterface using the ip tcp adjust-mss

The only way to be sure is to capture the packets on the other end of the VPN tunnel.

Thank you Peter