Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7997
Views
0
Helpful
5
Replies

MTU size tweaking - VPN, MPLS, RDP

hellumsduane
Level 1
Level 1

‎03-03-2016 07:20 AM - edited ‎03-05-2019 03:29 AM

I read in a Cisco white paper that an MTU reduction "complies with best practices in VPN networks of setting the MTU to 1440 bytes on an interface to allow for IPSEC headers."  

Sounds straightforward enough.  Here's my confusion, though...

Say I have a VPN tunnel between two campuses in different states.  Tests show that one site can get to the web without fragmenting at 1472 (MTU 1500, with the IP header).  But getting to the other VPN site, they fragment anything larger than 1406 (MTU 1434, with the IP header).  See ping results below.

Q1.  If I follow the logic correctly, I should set the MTU on both sides to 1434, right?  Why is that different than the 1440 recommendation from Cisco?  

Q2.  Does something happen inside the IP protocol to inform the PC and RDP/Terminal Services server about this, so they don't keep trying to send 1500 byte packets?  Or does that part not matter?  If not, why not?  

Q3.  It seems like we'd want to stop fragmentation across the entire network.  Do I need to set MTU in DHCP as well?  Why would I want to optimize and prevent fragmentation at the tunnel endpoints, rather that at the source, at the PC and switch?  Seems like it would suck to have to live with the lowest common denominator speed for the Internet, just because of a slower VPN tunnel for some traffic.  

Q4.  What about all the other switches and routers I control, other than those two ASA endpoints for the VPN tunnel, do I have to change the MTU in all of them also?

Q5.  To make matters worse, I did a fragmentation test across the MPLS link to our data center (not using VPN tunnel), and it fragmented above 1272.  So do I need to tweak everything here and there down to 1272?

Q6.  And the last question, does it even matter?  I brought this issue up with a local Cisco support contractor a few years ago, and he shrugged it off like I was speaking a foreign language to him.  Apparently he'd never made any MTU changes based on fragmentation.

C:\>ping www.google.com -f -l 1472

Pinging www.google.com [74.125.22.106] with 1472 bytes of data:
Reply from 74.125.22.106: bytes=64 (sent 1472) time=50ms TTL=36
Reply from 74.125.22.106: bytes=64 (sent 1472) time=51ms TTL=36
Reply from 74.125.22.106: bytes=64 (sent 1472) time=51ms TTL=36
Reply from 74.125.22.106: bytes=64 (sent 1472) time=189ms TTL=36

Ping statistics for 74.125.22.106:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 50ms, Maximum = 189ms, Average = 85ms

C:\>ping 192.168.1.1 -f -l 1472

Pinging 192.168.1.1 with 1472 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.

Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\>ping 192.168.1.1 -f -l 1407

Pinging 192.168.1.1 with 1407 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.

Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\>ping 192.168.1.1 -f -l 1406

Pinging 192.168.1.1 with 1406 bytes of data:
Reply from 192.168.1.1: bytes=1406 time=95ms TTL=127
Reply from 192.168.1.1: bytes=1406 time=85ms TTL=127
Reply from 192.168.1.1: bytes=1406 time=75ms TTL=127
Reply from 192.168.1.1: bytes=1406 time=91ms TTL=127

Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 75ms, Maximum = 95ms, Average = 86ms

Labels:
0 Helpful
5 Replies 5

Philip D'Ath
VIP Alumni
VIP Alumni

‎03-03-2016 07:54 PM

What model Cisco device is this?  Is this a straight IPSec VPN, or a VTI on a router, or something else?

I would probably just do a TCP mss adjust and make it 1300.  Nice and safe.

0 Helpful

hellumsduane
Level 1
Level 1
In response to Philip D'Ath

‎03-03-2016 08:22 PM

IPSEC tunnel between ASA 5510 on one end, and a 2821 router on the other, NAT/ed to another 5510. Both over cable modem (50x5 Mbps on one end, 100x10 Mbps on the other). Except for question 5, that's 10 Mbps fiber with MPLS between two leased routers and two 5510s.

http://blog.apnic.net/2014/12/15/ip-mtu-and-tcp-mss-missmatch-an-evil-for-network-performance/

This mentions what you did, but I guess my question still stands about why we don't have to do this on the PC and server endpoints. If they keep thinking it's a1500 byte world, and we're constricting it at the router and firewall, fragmentation will still be needed, right?

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to hellumsduane

‎03-03-2016 11:06 PM

When you adjust the MSS inline, it adjust it for all TCP connections flowing through the devices.  As a result, you don't have to reconfigure every server and workstation.

0 Helpful

hellumsduane
Level 1
Level 1
In response to Philip D'Ath

‎03-04-2016 12:53 PM

It looks like most of our Windows machines throttle MTU back to 1300, so does this even matter?  Maybe it would only affect our Mac users (who could just manually configure their MTU)?  I looked at "sh ip traffic" and it only showed a few hundred packets fragmented.  So maybe it's having little to no practical effect on our TS/RDP sessions or overall VPN throughput?

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to hellumsduane

‎03-06-2016 11:34 AM

Why not give it a try for 10 minutes?  I will help to quickly rule it out.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card