11-25-2014 08:27 AM
Hello,
I have a 2901 router building a dynamic VPN to a third party device. The VPN initially was having trouble passing some traffic. Pings worked, HTTP wouldn't. So I did some packet captures, and saw that it needed to fragment. So I set the external interface mtu down to 1380, and the VPN started working perfectly. However it "broke" regular web access. Now some external websites (on the Internet/non-VPN) were exhibiting the same behavior.
My topology is very simple ISP Ethernet hand-off -- 2901 router -- internal switch.
What's the correct MTU design for this scenario?
Thanks
Solved! Go to Solution.
11-25-2014 08:39 AM
edit: below is a broad generalization
Unless you need to worry about big datagram protocols tweak MSS instead of MTU.
Or adjust MTU (and MSS) on logical interfaces (tunnel or VT)
M.
11-27-2014 01:30 AM
You can count the MTU using below info. Also remember when tweaking MTU you have to also adjust the MSS. MSS has to be set at least 40 bytes less than MTU.
Packets exceeding MTU will be fragmented (requires more processing power, and sometimes may cause problems) but still forwarded, however packets exceeding MSS are discared normally if not correctly negotiated.
esp-(des or 3des) esp-sha-hmac or md5 adds 57 bytes
esp-null esp-sha-hmac or md5 adds 45 bytes
esp-3des, esp-des adds 45 bytes
esp-aes-(256 or 192 or 128) esp-sha-hmac or md5 adds 73 bytes
esp-aes (256 or 192 or 128) adds 61 bytes
ah-(sha or md5)-hmac esp-(3des or des) adds 69 bytes
ah-(sha or md5)-hmac esp-aes-(128, 192, or 256) adds 85 bytes
ah-sha-hmac or md5 adds 44 bytes
11-25-2014 08:39 AM
edit: below is a broad generalization
Unless you need to worry about big datagram protocols tweak MSS instead of MTU.
Or adjust MTU (and MSS) on logical interfaces (tunnel or VT)
M.
12-02-2014 07:45 PM
Tweaking mss on my LAN interface solved the problem. Thanks
11-27-2014 01:30 AM
You can count the MTU using below info. Also remember when tweaking MTU you have to also adjust the MSS. MSS has to be set at least 40 bytes less than MTU.
Packets exceeding MTU will be fragmented (requires more processing power, and sometimes may cause problems) but still forwarded, however packets exceeding MSS are discared normally if not correctly negotiated.
esp-(des or 3des) esp-sha-hmac or md5 adds 57 bytes
esp-null esp-sha-hmac or md5 adds 45 bytes
esp-3des, esp-des adds 45 bytes
esp-aes-(256 or 192 or 128) esp-sha-hmac or md5 adds 73 bytes
esp-aes (256 or 192 or 128) adds 61 bytes
ah-(sha or md5)-hmac esp-(3des or des) adds 69 bytes
ah-(sha or md5)-hmac esp-aes-(128, 192, or 256) adds 85 bytes
ah-sha-hmac or md5 adds 44 bytes
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide