06-23-2007 07:28 PM
Hi
We have a network setup where the customers comes via internet to 7600 and from there we for ward this to mpls-vpn cloud
CE -----Internet cloud -------Internet Access router --- 7600-----IP VPN cloud
we use ipsec tunnel from ce to 7600 .Sometimes customer complains of email/other Application not working etc.
Most of the issue are resolved when we put the ip tcp adjust mss command on lan from a higher value to lower value like from 1452 to 1350 etc.
Can somebody clarify abt the working of ip tcp adjust mss and its effect.
Thanks in Advance
Tarun
Solved! Go to Solution.
06-23-2007 10:57 PM
When a host initiates a TCP session with a server, it negotiates the IP segment size by using the MSS option field in the TCP SYN packet. The value of the MSS field is determined by the maximum transmission unit (MTU) configuration on the host. The default MSS value for a PC is 1500 bytes
Links for Reference:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t4/ft_admss.htm
http://cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a0080093f1f.shtml
http://cisco.com/en/US/products/hw/routers/ps4081/products_tech_note09186a0080094268.shtml
But the actual MSS between two end points is derived as below.
MSS = MinPathMTU - MinTCLHeadrLen - MinIP HeadrLen = 20 - 20 = MTU - 40.
Now for GRE = GRE header + GRE IP HEader = 4 + 20 = 24
IPSEC = 60 to 72 approx depedning on the encryption used.
Since your internet routers wont be supporting more than 1500 bytes as an MTU, effectively the MSS available for
you host to server session is the actual MTU on the path minus the overhead mentioned above.
which is MinPathMTU - MinTCLHeadrLen - MinIP HeadrLen - (GRE header + GRE IP HEader) - IPSEC overhead
1500 - (40+24+60~72) = 1376~1364.
So a TCP MSS value of 1360 would be safe for your end-to-end TCP sessions over a GRE-IPSEC Tunnel.
If you were not doing a GRE-IPSEC till the 7600 and had a leased circuit to the 7600 then a MSS value of 1460 fits well.
1500-40.
HTH-Cheers,
Swaroop
06-23-2007 10:57 PM
When a host initiates a TCP session with a server, it negotiates the IP segment size by using the MSS option field in the TCP SYN packet. The value of the MSS field is determined by the maximum transmission unit (MTU) configuration on the host. The default MSS value for a PC is 1500 bytes
Links for Reference:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t4/ft_admss.htm
http://cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a0080093f1f.shtml
http://cisco.com/en/US/products/hw/routers/ps4081/products_tech_note09186a0080094268.shtml
But the actual MSS between two end points is derived as below.
MSS = MinPathMTU - MinTCLHeadrLen - MinIP HeadrLen = 20 - 20 = MTU - 40.
Now for GRE = GRE header + GRE IP HEader = 4 + 20 = 24
IPSEC = 60 to 72 approx depedning on the encryption used.
Since your internet routers wont be supporting more than 1500 bytes as an MTU, effectively the MSS available for
you host to server session is the actual MTU on the path minus the overhead mentioned above.
which is MinPathMTU - MinTCLHeadrLen - MinIP HeadrLen - (GRE header + GRE IP HEader) - IPSEC overhead
1500 - (40+24+60~72) = 1376~1364.
So a TCP MSS value of 1360 would be safe for your end-to-end TCP sessions over a GRE-IPSEC Tunnel.
If you were not doing a GRE-IPSEC till the 7600 and had a leased circuit to the 7600 then a MSS value of 1460 fits well.
1500-40.
HTH-Cheers,
Swaroop
06-24-2007 02:30 AM
Hi Swaroop
Thanks a lot.It clarified my doubt.
Tarun
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: