Solved: Re: Prevent vpn fragmentation

edgar-quintana · ‎09-15-2008

I have heavy fragmentation with this configuration, and because of this, remote sites can not receive a good vpn bandwidth.

2821 is headquarters router and 1721 remote vpn site.

1721 has a vpn module.

What can I do?

andrew.prince · ‎09-16-2008

Edgar,

That link is OK - lets do some math:-

IP Header - 20 Bytes

TCP Header - 20 Bytes

IPSEC Header - 56 Bytes

Standard LAN NIC MTU = 1500. When a tcp syn connection is started - the TCP stack will do the following:-

So the NIC MTU = 1500, take away 20 bytes for the TCP header, take away 20 bytes for the TCP header - advertise a MSS of 1460.

When you have PMTUD enable (enabled by default on ALL Microsoft OS) ALL packets have the DF bit set.

So you negotiate a TCP session, to 1460 with the DF bit set, the packets arrive at the firewall/VPN device ready for encryption...

but the device needs to add 56 bytes of encryption to the packet.....1460 + 56 = 1516, but the interface MTU is 1500 right! ooops!

If you start using a ping with the DF bit set - it's misleading as an ICMP packet is 20 bytes, with IP info - so the MTU reported willl

be 1480! not what you are looking for.

So to be safe I always do the following:-

20 Bytes for IP header

20 Bytes for TCP header

28 Bytes for GRE encapsulation (if I want to use Dynamic routing protocols over VPN)

56 Bytes for IPSEC

So far = 1356.

I always calculate an extra if I am dealing with VOIP:-

12 Bytes for RTP

All totaled = 1344

I also allow for "fudge" so I use 1300 bytes as the MSS value.....workes extermely well for me.

HTH>

View solution in original post

andrew.prince · ‎09-15-2008

try adding:-

ip tcp adjust-mss 1300

To any of the interfaces that face the LAN on either site.

HTH>

edgar-quintana · ‎09-15-2008

Hi,

First, thks for fast responding.

I do not understand " To any of the interfaces that face the LAN on either site."

Can you explain it better?

Thks and best regards

andrew.prince · ‎09-15-2008

Place it on the fast etherent on the 17xx or the gig ethernet on the 28xx, either one will do?

The comment only needs to be place in one location to intercept the tcp syn/tcp syn ack when the connection is formed.

HTH>

edgar-quintana · ‎09-16-2008

Hi again,

Imagine... there are a 2821 router and a 1721 site to site vpn.

1721 site to site to a 837 and 2821 site to site with the 837.

Then... the comment will be placed into the 1721 atm 0.1 and 2821 gigaethernet1 ??

Best regards

andrew.prince · ‎09-16-2008

Edgar,

This setting could practically fix all the issues related to fragmentation/MTU/MSS you are seeing.

It will not hurt to add it to ALL LAN interfaces - on the 1721, 837 & 2821.

If you have VPN's do not add it to the WAN interface - as the device will not see the tcp syn/ tcp syn ack as they will be encrypted.

Put it this way - the cisco PIX/ASA running 7.x code and above has a default tcp mss of 1380. And the tcp adjust mss command has been in router/switch ios since about 12.x .

HTH.

edgar-quintana · ‎09-16-2008

Hi,

Can I follow this web http://help.expedient.com/broadband/mtu_ping_test.shtml to get the correct MTU to use with your command? or I must use 1300?

andrew.prince · ‎09-16-2008

Edgar,

That link is OK - lets do some math:-

IP Header - 20 Bytes

TCP Header - 20 Bytes

IPSEC Header - 56 Bytes

Standard LAN NIC MTU = 1500. When a tcp syn connection is started - the TCP stack will do the following:-

So the NIC MTU = 1500, take away 20 bytes for the TCP header, take away 20 bytes for the TCP header - advertise a MSS of 1460.

When you have PMTUD enable (enabled by default on ALL Microsoft OS) ALL packets have the DF bit set.

So you negotiate a TCP session, to 1460 with the DF bit set, the packets arrive at the firewall/VPN device ready for encryption...

but the device needs to add 56 bytes of encryption to the packet.....1460 + 56 = 1516, but the interface MTU is 1500 right! ooops!

If you start using a ping with the DF bit set - it's misleading as an ICMP packet is 20 bytes, with IP info - so the MTU reported willl

be 1480! not what you are looking for.

So to be safe I always do the following:-

20 Bytes for IP header

20 Bytes for TCP header

28 Bytes for GRE encapsulation (if I want to use Dynamic routing protocols over VPN)

56 Bytes for IPSEC

So far = 1356.

I always calculate an extra if I am dealing with VOIP:-

12 Bytes for RTP

All totaled = 1344

I also allow for "fudge" so I use 1300 bytes as the MSS value.....workes extermely well for me.

HTH>

edgar-quintana · ‎09-16-2008

Hi,

VPN site to site from 2821 with a 4mbpsx4mbps LMDS and 837 Adsl 3000/512...which would be the max download rate?

And 2821 to a 1721(vpn module installed) with a adsl 4000/512?

Best regards

andrew.prince · ‎09-16-2008

This is off topic.

Let me ask you a question - what is the encrypted thru-put of the 2821, 837 & 1721??

What is clear-text thru-put of the 2821, 837 & 1721??

edgar-quintana · ‎09-16-2008

Using 3des-esp sha-hmac

andrew.prince · ‎09-16-2008

Edgar you mis-understood

You tell me:-

what is the possible encrypted thru-put of the 2821, 837 & 1721??

What is the possible clear-text thru-put of the 2821, 837 & 1721??

From that you will devise what speeds you should be seeing.

edgar-quintana · ‎09-16-2008

Sorry about my english....

Which is meaning of encrypted thru-put and clear-text thru-put?

matemba · ‎09-25-2020

Thank you, it works for me.

I have cisco ASA and pfsense in other side.

when i changed th MSS on pfsense to 1300, my udp/voip starting to working over vpn ikv2.