IP TCP Adjust MSS

Answered Question
Jun 23rd, 2007
User Badges:

Hi


We have a network setup where the customers comes via internet to 7600 and from there we for ward this to mpls-vpn cloud



CE -----Internet cloud -------Internet Access router --- 7600-----IP VPN cloud



we use ipsec tunnel from ce to 7600 .Sometimes customer complains of email/other Application not working etc.


Most of the issue are resolved when we put the ip tcp adjust mss command on lan from a higher value to lower value like from 1452 to 1350 etc.


Can somebody clarify abt the working of ip tcp adjust mss and its effect.



Thanks in Advance


Tarun

Correct Answer by swaroop.potdar about 10 years 1 month ago

When a host initiates a TCP session with a server, it negotiates the IP segment size by using the MSS option field in the TCP SYN packet. The value of the MSS field is determined by the maximum transmission unit (MTU) configuration on the host. The default MSS value for a PC is 1500 bytes


Links for Reference:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t4/ft_admss.htm

http://cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a0080093f1f.shtml

http://cisco.com/en/US/products/hw/routers/ps4081/products_tech_note09186a0080094268.shtml



But the actual MSS between two end points is derived as below.


MSS = MinPathMTU - MinTCLHeadrLen - MinIP HeadrLen = 20 - 20 = MTU - 40.


Now for GRE = GRE header + GRE IP HEader = 4 + 20 = 24


IPSEC = 60 to 72 approx depedning on the encryption used.


Since your internet routers wont be supporting more than 1500 bytes as an MTU, effectively the MSS available for

you host to server session is the actual MTU on the path minus the overhead mentioned above.


which is MinPathMTU - MinTCLHeadrLen - MinIP HeadrLen - (GRE header + GRE IP HEader) - IPSEC overhead

1500 - (40+24+60~72) = 1376~1364.


So a TCP MSS value of 1360 would be safe for your end-to-end TCP sessions over a GRE-IPSEC Tunnel.


If you were not doing a GRE-IPSEC till the 7600 and had a leased circuit to the 7600 then a MSS value of 1460 fits well.

1500-40.


HTH-Cheers,

Swaroop


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
swaroop.potdar Sat, 06/23/2007 - 22:57
User Badges:
  • Blue, 1500 points or more

When a host initiates a TCP session with a server, it negotiates the IP segment size by using the MSS option field in the TCP SYN packet. The value of the MSS field is determined by the maximum transmission unit (MTU) configuration on the host. The default MSS value for a PC is 1500 bytes


Links for Reference:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t4/ft_admss.htm

http://cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a0080093f1f.shtml

http://cisco.com/en/US/products/hw/routers/ps4081/products_tech_note09186a0080094268.shtml



But the actual MSS between two end points is derived as below.


MSS = MinPathMTU - MinTCLHeadrLen - MinIP HeadrLen = 20 - 20 = MTU - 40.


Now for GRE = GRE header + GRE IP HEader = 4 + 20 = 24


IPSEC = 60 to 72 approx depedning on the encryption used.


Since your internet routers wont be supporting more than 1500 bytes as an MTU, effectively the MSS available for

you host to server session is the actual MTU on the path minus the overhead mentioned above.


which is MinPathMTU - MinTCLHeadrLen - MinIP HeadrLen - (GRE header + GRE IP HEader) - IPSEC overhead

1500 - (40+24+60~72) = 1376~1364.


So a TCP MSS value of 1360 would be safe for your end-to-end TCP sessions over a GRE-IPSEC Tunnel.


If you were not doing a GRE-IPSEC till the 7600 and had a leased circuit to the 7600 then a MSS value of 1460 fits well.

1500-40.


HTH-Cheers,

Swaroop


tarun209 Sun, 06/24/2007 - 02:30
User Badges:

Hi Swaroop


Thanks a lot.It clarified my doubt.


Tarun

Actions

This Discussion