MTU issue

Unanswered Question
Dec 18th, 2007

Hi,

We have a dmvpn setup and some troubles with mtu. Pictures in the web browser does not show.

Here is the setup:

!

interface Tunnel1

ip address 10.226.0.2 255.255.0.0

ip mtu 1440

ip nhrp authentication

ip nhrp map multicast 87.238.66.4

ip nhrp map 10.226.0.1 87.238.66.4

ip nhrp network-id 666

ip nhrp nhs 10.226.0.1

ip nhrp cache non-authoritative

ip tcp adjust-mss 1400

no ip split-horizon

tunnel source FastEthernet4

tunnel destination

tunnel

tunnel protection ipsec profile DMVPN

!

We have also tried this setup with better performance , but still some problems on some web pages.

!

interface Tunnel1

ip address 10.226.0.2 255.255.0.0

ip mtu 1500

ip nhrp authentication

ip nhrp map multicast 87.238.66.4

ip nhrp map 10.226.0.1 87.238.66.4

ip nhrp network-id 666

ip nhrp nhs 10.226.0.1

ip nhrp cache non-authoritative

ip tcp adjust-mss 1400

no ip split-horizon

tunnel source FastEthernet4

tunnel destination

tunnel

tunnel protection ipsec profile DMVPN

!

!

interface Vlan1

description LAN-interface

ip address 10.172.56.1 255.255.255.0

ip tcp adjust-mss 1400

ip verify unicast source reachable-via rx

ip helper-address !

BR,

Bjornarsb

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
lgijssel Tue, 12/18/2007 - 02:06

To be absolutely sure that the mtu will fit end-to-end without fragmentation, please try the following:

int (DMVPN-Gateway)

ip mtu 1340

ip tcp adjust-mss 1300

Note that the adjustment of the mss must be applied at the correct spot, namely the LAN-interface of your gateway to the DNVPN network.

regards,

Leo

bjornarsb Tue, 12/18/2007 - 04:49

Hi,

It does not work.

Central router :

!

interface Tunnel1

ip address 10.226.0.1 255.255.0.0

no ip redirects

ip mtu 1340

ip nhrp authentication

ip nhrp map multicast dynamic

ip nhrp network-id 666

ip tcp adjust-mss 1300

no ip split-horizon

tunnel source Loopback1

tunnel mode gre multipoint

tunnel key

tunnel protection ipsec profile DMVPN

!

interface FastEthernet0/0

ip address 192.168.7.x 255.255.255.0

ip tcp adjust-mss 1300

speed 100

full-duplex

crypto map DMVPN

!

Customer router:

!

interface Tunnel1

ip address 10.226.0.2 255.255.0.0

ip mtu 1340

ip nhrp authentication

ip nhrp map multicast

ip nhrp map 10.226.0.1

ip nhrp network-id 666

ip nhrp nhs 10.226.0.1

ip nhrp cache non-authoritative

ip tcp adjust-mss 1300

no ip split-horizon

tunnel source FastEthernet4

tunnel destination 87.238.66.4

tunnel key

tunnel protection ipsec profile DMVPN

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description Mot_lokal_ISP_

ip address 82.x.x.x 255.255.255.252

ip access-group DENY-WORLD-in in

ip virtual-reassembly

duplex auto

speed auto

crypto map DMVPN

!

interface Vlan1

description LAN-interface

ip address 10.172.56.1 255.255.255.0

ip verify unicast source reachable-via rx

ip helper-address 172.29.251.30

ip tcp adjust-mss 1300

!

BR,

Bjornarsb

lgijssel Tue, 12/18/2007 - 05:34

When this was purely an MTU-issue, you should have noticed a difference. This makes me think your problem could lie elsewhere.

Therefore, may I ask what makes you think this is mtu-related.

Can you trie to verify the actual mtu when using the GRE-tunnels? The following link might be helpful:

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

regards,

Leo

bjornarsb Tue, 12/18/2007 - 06:28

Hi,

Strange it seems like 628 i the limit ?

Dec 18 15:21:22.786 CET: Tunnel1: GRE/IP encapsulated -> (linktype=7, len=68)

Dec 18 15:21:22.790 CET: Tunnel1: GRE/IP encapsulated (linktype=7, len=628)

Dec 18 15:21:22.794 CET: Tunnel1: GRE/IP encapsulated (linktype=7, len=628)

Dec 18 15:21:22.794 CET: Tunnel1: GRE/IP encapsulated (linktype=7, len=260)

Dec 18 15:21:22.798 CET: Tunnel1: GRE/IP encapsulated (linktype=7, len=69)

BR,

Bjornarsb

lgijssel Tue, 12/18/2007 - 09:45

It could also be that your traffic is all relatively small in size. To verify mtu size, use an extended ping with DF-bit set and varying packet size.

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080093f22.shtml

You will notice that all pings will fail above a certain packetsize. Example from my laptop:

C:\WINDOWS>ping 192.168.21.1 -f -l 1272

Pinging 192.168.21.1 with 1272 bytes of data:

Reply from 192.168.21.1: bytes=1272 time=2ms TTL=255

Reply from 192.168.21.1: bytes=1272 time=2ms TTL=255

Reply from 192.168.21.1: bytes=1272 time=4ms TTL=255

Reply from 192.168.21.1: bytes=1272 time=2ms TTL=255

Ping statistics for 192.168.21.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 2ms, Maximum = 4ms, Average = 2ms

C:\WINDOWS>ping 192.168.21.1 -f -l 1274

Pinging 192.168.21.1 with 1274 bytes of data:

Packet needs to be fragmented but DF set.

Packet needs to be fragmented but DF set.

Packet needs to be fragmented but DF set.

Packet needs to be fragmented but DF set.

Ping statistics for 192.168.21.1:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\WINDOWS>

The highest number that succeeded was 1272 bytes. Add to this 20 bytes ip header plus 8 bytes icmp header for a total of 1300.

This is your actual MTU.

regards,

Leo

Pavel Bykov Tue, 12/18/2007 - 03:51

Beforewarned, that MSS and MTU are different. For TCP/IP, the MSS is MTU + 40 bytes.

This is because MTU is measured including L3 and L4 headers (containment of L2 header) and MSS is measured how much data can be in one segment (TCP in this case).

So if anything, you should try setting:

ip mtu 1400

ip tcp adjust-mss 1360

Hope this helps

bvsnarayana03 Tue, 12/18/2007 - 04:58

When we are manipulating the mss value, do we need to specify the mtu on interface. As per your explanation, MSS now should be 1360+40=1400.

Pavel Bykov Tue, 12/18/2007 - 06:09

MTU setting is for the whole interface, while MSS setting is only for the TCP SYN packets going through the router.

From the command description: "To adjust the maximum segment size (MSS) value of TCP SYN packets going through a router, use the ip tcp adjust-mss command"

Maximum for this command is 1460 (i.e. 1500 - 20 byte IP header - 20 byte TCP header)

MTU command is for all communication and is actually alters interface functions. MSS command intercepts TCP SYN and modifies data there. You should always use "ip mtu" and optionally "ip tcp adjust-mss" command, in case hosts do not support automatic MTU discovery.

Actions

This Discussion