cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5270
Views
0
Helpful
10
Replies

IPSec VPN MTU issue over ADSL

sudan_023
Level 1
Level 1

Hello Guys,

I am deploying IPSec VPN over MPLS L3 ADSL link between HeadOffice and different branch locations. VPN tunnels are up and running i can successfully ping both sides. But the browsing is very very slow. Users at remote sites cannot browse the servers at headoffice as well as internet. I have tried following things:

1) Setting MTU in outside interface

2) Setting ip tcp adjust-mss in outside interface

3) Crypto ipsec df-bit clear (both locations)

3) Route-map clearing df-bit

Still browsing is same. I cant figure out where the problem is? In my configuration or at ISP side??

Devices used for this configuration are:

Head Office: Cisco C3945 Software (C3900-UNI​VERSALK9-M), Version 15.2(4)M3

Branch Office: Cisco C2911 Software (C2900-UNI​VERSALK9-M), Version 15.3(2)T

I have attached configuration below:

Thank you

Sudan Dhakal

10 Replies 10

Tariq Bader
Cisco Employee
Cisco Employee

How much you adjust the tcp mss ?


Sent from Cisco Technical Support Android App

Hello Bader,

After testing different size ping packet from a remote location windows machine

>ping x.x.x.x

  reply success

>ping x.x.x.x -l 1500 -f

packet needs to be fragmentated but df set

packet needs to be fragmentated but df set

>ping x.x.x.x -l 1350 -f

packet needs to be fragmentated but df set

packet needs to be fragmentated but df set

>ping x.x.x.x -l 1340 -f

reply success

reply success

I set different mss value to test but nothing worked. The running-configuration has the ip tcp adjust-mss 1300 value.

Regards,

Sudan Dhakal

Perform some packet captures on client and server.

Hello Peter,

Wireshark captures at branch location shows almost every packets "TCP segment of a reassembled PDU" and lots of bad Checksums.

Regards,

Sudan Dhakal

Hi Sudan

You have some onE of the two issues:

A) MTU path discovery issues where the clients can't find the MTU and defaults to a very low MTU
Solution: use a tool like MTU path to find if the is any device not replying to the MTUP discovery http://www.iea-software.com/products/mtupath.cfm

B) TCP MSS values are still high. Try to lower this to 1260


Take care

Sent from Cisco Technical Support iPad App

2) Setting ip tcp adjust-mss in outside interface

It does not affect TCP as traffic on outside is already encapsulated in IPsec. Put that command on inside inteface.

Peter,

Are you sure about that?

Sent from Cisco Technical Support iPad App

Are you sure about that?

Actually, I'm not entirely positive. Haven't tested it.

I would say if you put it on inside interface, it's guaranteed.

Peter

You are correct. It will also work but..... That also means you need to apply the command to each internal interface and it will also change the MSS to the internal traffic which is not required.

Applying in the outside interface will guarantee that only VPN traffic will have a lower MSS.

Sudan, is it solved?

Let me see the captures, the MSS values and packet/segment sizes should be checked.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: