Wireless client MTU/MSS Issues over IPSEC vpn

Jerome_N8 · ‎01-14-2014

Hi,

I'm having some issues with setting up a Guest SSID on a Lightweight AP using H-Reap mode.

The issue is that the clients won't load the Guest Web Login page unless I manually reduce the mtu size on the client, eg from 1500 to 1300.

I'll try and give an overview of the setup:

Wireless client ---> Lwap ---> 3750 ---> 1800 ---> VPN Tunnel ---> ASA ---> 6500 ---> WLC

What I'd like to know is if there's anyway that I can make all the packets for this particular guest wireless vlan go through the vpn with a smaller mtu?

I've tried setting the ip tcp mss-adjust on the 1800 router but it doesn't seem to have an effect.

Any help greatly appreciated

Thanks

Saravanan Lakshmanan · ‎01-14-2014

Enable tcp mss on APs from WLC. config ap tcp-mss-adjust enable all.

default is 1363, if it does not work keep reducing.

Jerome_N8 · ‎01-14-2014

Hi Saravan,

I tried this already and I don't think it works in H-Reap mode, when I make the adjustment I don't see this reflected in the packets in wireshark. They remain as 1390 from the WLC and 1460 from the client.

If I reduce the mtu on the client directly to 1300 I see the packets from the client with MSS 1260 and this works perfectly, but obviously I'm not able to manually reduce the mtu on every client that will connect to this guest network.

Any other ideas?

Saravanan Lakshmanan · ‎01-14-2014

is it hreap local or central switching. central switching may still use tcp-mss.

with hreap local switching, on AP you can reduce the MTU size. but the setting doesn't sustain AP reboot.

Telnet/SSH/Console to AP to change the MTU to desired Bytes:

debug capwap con cli

config t

int gi0

mtu 1500

int bvi1

mtu 1500

Note: This workaround does not survive an AP reboot, and must be reapplied if the AP is rebooted.

other Workrounds: Alternatively MTU size can be trimmed on the wireless client Ex:1200 bytes or On an upstream IOS router, which is between the client and the wired network, use "ip tcp adjust-mss", if unable to do these try setting "ip mtu" on the wired VLANs' default router interfaces.

Jerome_N8 · ‎01-15-2014

I've tried all of the above and none of them work, it seems like nothing is adjusting the mtu size, the only thing that works is adjusting it manually on the pc.

I've tried setting the vlan on the switch for the guest network to 1300, setting the gi interface on the access point to 1300, and tried setting the mtu/mss on the router interfaces to 1300.

I previously had this working without using h-reap by setting the mss to 1300 on the WLC but then their guest traffic was routing through our main office which was proving to be unstable.

Saravanan Lakshmanan · ‎01-15-2014

are hreap local switching possible.

what is the model of AP, WLC and code.

tcp mss applicable only on tcp over mss. try setting tcp mss to 1200.

or set mtu on AP to 1250 or below.

open TAC case, if above does not work.

Jerome_N8 · ‎01-15-2014

AP = AIR-LAP1262N-E-K9

WLC = 4402

Version = 7.0.98.218

When you say try setting tcp on mss to 1200, on which device should I try that?

Saravanan Lakshmanan · ‎01-15-2014

on top of actual ip - capwap, vpn header adds up.

it is good to have the setting on device close to AP and nice to set on all intermediate devices.

did you try to reduce mtu/mss on vpn.

if old AP models with central switching or local mode AP not seeing this issue then its possible 126X running a bug. incorrect DF bit set could be an issue.

7.0mr5 is out, try on it.