Re: IPSec VPN MTU issue over ADSL

sudan_023 · ‎09-20-2013

Hello Guys,

I am deploying IPSec VPN over MPLS L3 ADSL link between HeadOffice and different branch locations. VPN tunnels are up and running i can successfully ping both sides. But the browsing is very very slow. Users at remote sites cannot browse the servers at headoffice as well as internet. I have tried following things:

1) Setting MTU in outside interface

2) Setting ip tcp adjust-mss in outside interface

3) Crypto ipsec df-bit clear (both locations)

3) Route-map clearing df-bit

Still browsing is same. I cant figure out where the problem is? In my configuration or at ISP side??

Devices used for this configuration are:

Head Office: Cisco C3945 Software (C3900-UNIVERSALK9-M), Version 15.2(4)M3

Branch Office: Cisco C2911 Software (C2900-UNIVERSALK9-M), Version 15.3(2)T

I have attached configuration below:

Thank you

Sudan Dhakal

Tariq Bader · ‎09-20-2013

How much you adjust the tcp mss ?

Sent from Cisco Technical Support Android App

sudan_023 · ‎09-20-2013

Hello Bader,

After testing different size ping packet from a remote location windows machine

>ping x.x.x.x

reply success

>ping x.x.x.x -l 1500 -f

packet needs to be fragmentated but df set

>ping x.x.x.x -l 1350 -f

packet needs to be fragmentated but df set

>ping x.x.x.x -l 1340 -f

reply success

I set different mss value to test but nothing worked. The running-configuration has the ip tcp adjust-mss 1300 value.

Regards,

Sudan Dhakal

Peter Koltl · ‎09-21-2013

Perform some packet captures on client and server.

sudan_023 · ‎09-21-2013

Hello Peter,

Wireshark captures at branch location shows almost every packets "TCP segment of a reassembled PDU" and lots of bad Checksums.

Regards,

Sudan Dhakal

jose.vieira525 · ‎09-22-2013

Hi Sudan

You have some onE of the two issues:

A) MTU path discovery issues where the clients can't find the MTU and defaults to a very low MTU
Solution: use a tool like MTU path to find if the is any device not replying to the MTUP discovery http://www.iea-software.com/products/mtupath.cfm

B) TCP MSS values are still high. Try to lower this to 1260

Take care

Sent from Cisco Technical Support iPad App

Peter Koltl · ‎09-22-2013

2) Setting ip tcp adjust-mss in outside interface

It does not affect TCP as traffic on outside is already encapsulated in IPsec. Put that command on inside inteface.

jose.vieira525 · ‎09-22-2013

Peter,

Are you sure about that?

Sent from Cisco Technical Support iPad App

Peter Koltl · ‎09-23-2013

Are you sure about that?

Actually, I'm not entirely positive. Haven't tested it.

I would say if you put it on inside interface, it's guaranteed.

jose.vieira525 · ‎09-23-2013

Peter

You are correct. It will also work but..... That also means you need to apply the command to each internal interface and it will also change the MSS to the internal traffic which is not required.

Applying in the outside interface will guarantee that only VPN traffic will have a lower MSS.

Peter Koltl · ‎09-28-2013

Sudan, is it solved?

Let me see the captures, the MSS values and packet/segment sizes should be checked.