cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2683
Views
0
Helpful
3
Replies

VPN MTU question

billmatthews
Level 1
Level 1

Hello,

I have a 2901 router building a dynamic VPN to a third party device.  The VPN initially was having trouble passing some traffic.  Pings worked, HTTP wouldn't.  So I did some packet captures, and saw that it needed to fragment.  So I set the external interface mtu down to 1380, and the VPN started working perfectly.  However it "broke" regular web access.  Now some external websites (on the Internet/non-VPN) were exhibiting the same behavior.

My topology is very simple ISP Ethernet hand-off -- 2901 router -- internal switch.  

What's the correct MTU design for this scenario?

Thanks

2 Accepted Solutions

Accepted Solutions

Marcin Latosiewicz
Cisco Employee
Cisco Employee

edit: below is a broad generalization

Unless you need to worry about big datagram protocols tweak MSS instead of MTU. 

Or adjust MTU (and MSS) on logical interfaces (tunnel or VT)

M.

View solution in original post

Michal Dulovic
Level 1
Level 1

You can count the MTU using below info. Also remember when tweaking MTU you have to also adjust the MSS. MSS has to be set at least 40 bytes less than MTU.

Packets exceeding MTU will be fragmented (requires more processing power, and sometimes may cause problems) but still forwarded, however packets exceeding MSS are discared normally if not correctly negotiated.

 

•GRE (IP Protocol 47) (RFC 2784) adds 24 bytes (20 byte IPv4 header, 4 byte GRE header)
•IPSec Tunnel Mode with ESP header adds 52-60  bytes - dependent on encryption used
•IPSec Tunnel Mode with AH adds 44 (24 bytes AH + 20 bytes tunnel) bytes - dependent on encryption used
•IPSec Transport Mode with ESP header adds 40/32 bytes [ (8 Byte header (SPI and Sequence Number,) 16/8 Byte IV and 16 Byte trailer) ] – depends on payload size due to padding and 
•IPSec Transport Mode with AH header adds 24 byte header - dependent on encryption used
•6in4 encapsulation (IP Protocol 41, RFC 4213) adds 20 bytes
•4in6 encapsulation (e.g. DS-Lite RFC 6333) adds 40 bytes
•Any time you add another outer IPv4 header adds 20 bytes
•IPsec encryption performed by the DMVPN adds Transformset overhead (overhead depends on transport or tunnel mode and the encryption/authentication algorithm and HMAC)
•MPLS adds 4 bytes for each label in the stack
•IEEE 802.1Q tag adds 4 bytes (Q-in-Q would add 8 bytes)
•VXLAN adds 50 bytes
•OTV adds 42 bytes
•LISP adds 36 bytes for IPv4 and 56 bytes for IPv6 encapsulation
•NVGRE adds 42 bytes
•STT adds 54 bytes
 

esp-(des or 3des) esp-sha-hmac or md5 adds 57 bytes

esp-null esp-sha-hmac or md5 adds 45 bytes

esp-3des, esp-des adds 45 bytes

esp-aes-(256 or 192 or 128) esp-sha-hmac or md5 adds 73 bytes

esp-aes (256 or 192 or 128) adds 61 bytes

ah-(sha or md5)-hmac esp-(3des or des) adds 69 bytes

ah-(sha or md5)-hmac esp-aes-(128, 192, or 256) adds 85 bytes

ah-sha-hmac or md5 adds 44 bytes

View solution in original post

3 Replies 3

Marcin Latosiewicz
Cisco Employee
Cisco Employee

edit: below is a broad generalization

Unless you need to worry about big datagram protocols tweak MSS instead of MTU. 

Or adjust MTU (and MSS) on logical interfaces (tunnel or VT)

M.

Tweaking mss on my LAN interface solved the problem. Thanks

Michal Dulovic
Level 1
Level 1

You can count the MTU using below info. Also remember when tweaking MTU you have to also adjust the MSS. MSS has to be set at least 40 bytes less than MTU.

Packets exceeding MTU will be fragmented (requires more processing power, and sometimes may cause problems) but still forwarded, however packets exceeding MSS are discared normally if not correctly negotiated.

 

•GRE (IP Protocol 47) (RFC 2784) adds 24 bytes (20 byte IPv4 header, 4 byte GRE header)
•IPSec Tunnel Mode with ESP header adds 52-60  bytes - dependent on encryption used
•IPSec Tunnel Mode with AH adds 44 (24 bytes AH + 20 bytes tunnel) bytes - dependent on encryption used
•IPSec Transport Mode with ESP header adds 40/32 bytes [ (8 Byte header (SPI and Sequence Number,) 16/8 Byte IV and 16 Byte trailer) ] – depends on payload size due to padding and 
•IPSec Transport Mode with AH header adds 24 byte header - dependent on encryption used
•6in4 encapsulation (IP Protocol 41, RFC 4213) adds 20 bytes
•4in6 encapsulation (e.g. DS-Lite RFC 6333) adds 40 bytes
•Any time you add another outer IPv4 header adds 20 bytes
•IPsec encryption performed by the DMVPN adds Transformset overhead (overhead depends on transport or tunnel mode and the encryption/authentication algorithm and HMAC)
•MPLS adds 4 bytes for each label in the stack
•IEEE 802.1Q tag adds 4 bytes (Q-in-Q would add 8 bytes)
•VXLAN adds 50 bytes
•OTV adds 42 bytes
•LISP adds 36 bytes for IPv4 and 56 bytes for IPv6 encapsulation
•NVGRE adds 42 bytes
•STT adds 54 bytes
 

esp-(des or 3des) esp-sha-hmac or md5 adds 57 bytes

esp-null esp-sha-hmac or md5 adds 45 bytes

esp-3des, esp-des adds 45 bytes

esp-aes-(256 or 192 or 128) esp-sha-hmac or md5 adds 73 bytes

esp-aes (256 or 192 or 128) adds 61 bytes

ah-(sha or md5)-hmac esp-(3des or des) adds 69 bytes

ah-(sha or md5)-hmac esp-aes-(128, 192, or 256) adds 85 bytes

ah-sha-hmac or md5 adds 44 bytes