cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11002
Views
11
Helpful
2
Replies

IP TCP Adjust MSS

tarun209
Level 1
Level 1

Hi

We have a network setup where the customers comes via internet to 7600 and from there we for ward this to mpls-vpn cloud

CE -----Internet cloud -------Internet Access router --- 7600-----IP VPN cloud

we use ipsec tunnel from ce to 7600 .Sometimes customer complains of email/other Application not working etc.

Most of the issue are resolved when we put the ip tcp adjust mss command on lan from a higher value to lower value like from 1452 to 1350 etc.

Can somebody clarify abt the working of ip tcp adjust mss and its effect.

Thanks in Advance

Tarun

1 Accepted Solution

Accepted Solutions

swaroop.potdar
Level 7
Level 7

When a host initiates a TCP session with a server, it negotiates the IP segment size by using the MSS option field in the TCP SYN packet. The value of the MSS field is determined by the maximum transmission unit (MTU) configuration on the host. The default MSS value for a PC is 1500 bytes

Links for Reference:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t4/ft_admss.htm

http://cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a0080093f1f.shtml

http://cisco.com/en/US/products/hw/routers/ps4081/products_tech_note09186a0080094268.shtml

But the actual MSS between two end points is derived as below.

MSS = MinPathMTU - MinTCLHeadrLen - MinIP HeadrLen = 20 - 20 = MTU - 40.

Now for GRE = GRE header + GRE IP HEader = 4 + 20 = 24

IPSEC = 60 to 72 approx depedning on the encryption used.

Since your internet routers wont be supporting more than 1500 bytes as an MTU, effectively the MSS available for

you host to server session is the actual MTU on the path minus the overhead mentioned above.

which is MinPathMTU - MinTCLHeadrLen - MinIP HeadrLen - (GRE header + GRE IP HEader) - IPSEC overhead

1500 - (40+24+60~72) = 1376~1364.

So a TCP MSS value of 1360 would be safe for your end-to-end TCP sessions over a GRE-IPSEC Tunnel.

If you were not doing a GRE-IPSEC till the 7600 and had a leased circuit to the 7600 then a MSS value of 1460 fits well.

1500-40.

HTH-Cheers,

Swaroop

View solution in original post

2 Replies 2

swaroop.potdar
Level 7
Level 7

When a host initiates a TCP session with a server, it negotiates the IP segment size by using the MSS option field in the TCP SYN packet. The value of the MSS field is determined by the maximum transmission unit (MTU) configuration on the host. The default MSS value for a PC is 1500 bytes

Links for Reference:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t4/ft_admss.htm

http://cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a0080093f1f.shtml

http://cisco.com/en/US/products/hw/routers/ps4081/products_tech_note09186a0080094268.shtml

But the actual MSS between two end points is derived as below.

MSS = MinPathMTU - MinTCLHeadrLen - MinIP HeadrLen = 20 - 20 = MTU - 40.

Now for GRE = GRE header + GRE IP HEader = 4 + 20 = 24

IPSEC = 60 to 72 approx depedning on the encryption used.

Since your internet routers wont be supporting more than 1500 bytes as an MTU, effectively the MSS available for

you host to server session is the actual MTU on the path minus the overhead mentioned above.

which is MinPathMTU - MinTCLHeadrLen - MinIP HeadrLen - (GRE header + GRE IP HEader) - IPSEC overhead

1500 - (40+24+60~72) = 1376~1364.

So a TCP MSS value of 1360 would be safe for your end-to-end TCP sessions over a GRE-IPSEC Tunnel.

If you were not doing a GRE-IPSEC till the 7600 and had a leased circuit to the 7600 then a MSS value of 1460 fits well.

1500-40.

HTH-Cheers,

Swaroop

Hi Swaroop

Thanks a lot.It clarified my doubt.

Tarun

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: