We need to figure out what's the best config for an VPN network running on the latest Bell Canada's HSPA cellular Network. Technical folks at Bell tolds us the best MTU to use over their HSPA network is 1476.
Correct me if i'm wrong:
HSPA's ISP recommanded MTU - IPsec payload - GRE payload = what we need to configure on our MSS ajust commands and on the Tunnel Interface.
That would be 1476 (HSPA) - 58 (IPsec) - 24 (GRE) = 1394
On our Ethernet interface facing the HSPA modem: MTU should be 1476
On our Tunnel & MSS-adjust command: 1394
Does it make any sens ?
Solved! Go to Solution.
TCP MSS doesn't include IP and TCP header so you should remove 40B from your result. 1394 is actually the IP MTU of your original packet.
Therefore my settings will be
Fast Ethernet MTU connecting to HSPA modem: 1476
GRE Tunnel MTU: 1394
MSS adjust on Tunnel Interface: 1354
Am I right ?
IP Header - 20 Bytes
TCP Header - 20 Bytes
IPSEC Header - 56 Bytes
Standard LAN NIC MTU = 1500. When a tcp syn connection is started - the TCP stack will do the following:-
So the NIC MTU = 1500, take away 20 bytes for the TCP header, advertise a MSS of 1460.
When you have PMTUD enable (enabled by default on ALL Microsoft OS) ALL packets have the DF bit set.
So you negotiate a TCP session, to 1460 with the DF bit set, the packets arrive at the firewall/VPN device ready for encryption...
but the device needs to add 56 bytes of encryption to the packet.....1460 + 56 = 1516, but the interface MTU is 1500 right! ooops!
If you start using a ping with the DF bit set - it's misleading as an ICMP packet is 20 bytes, with IP info - so the MTU reported willl
be 1480! not what you are looking for.
So to be safe I always do the following:-
20 Bytes for IP header
20 Bytes for TCP header
28 Bytes for GRE encapsulation
56 Bytes for IPSEC
So far = 1356.
I always calculate an extra if I am dealing with VOIP:-
12 Bytes for RTP
All totaled = 1344
I also allow for "fudge" so I use 1300 bytes as the MSS value.....workes extermely well for me.
Some minor corrections:
Actually VoIP uses UDP, which is 8 bytes. That plus the 12 bytes for = 20.
Additionally GRE headers are 4 bytes, plus the new IP header of 20 bytes. Thus totalling 24 bytes [not 28].
Other than that, Bravo's suggestion looks pretty good.
I having similar problem on NHRP problem
Our network was using 1720 router before it worked fine .
then we swapped to 1841 series
the sybase database replication not going through anymore
we do replication everyday suddenly it happens when we swapped router
on head office
we have the vpn tunnel to remote location
the strange is it works well on same network client server database replication
it just doesn't go through on different network on remote location vpn nhrp tunnel
Any ideas pls