Prevent vpn fragmentation

Answered Question
Sep 15th, 2008

I have heavy fragmentation with this configuration, and because of this, remote sites can not receive a good vpn bandwidth.

2821 is headquarters router and 1721 remote vpn site.

1721 has a vpn module.

What can I do?

Attachment: 
I have this problem too.
0 votes

Edgar,

That link is OK - lets do some math:-

IP Header - 20 Bytes

TCP Header - 20 Bytes

IPSEC Header - 56 Bytes

Standard LAN NIC MTU = 1500. When a tcp syn connection is started - the TCP stack will do the following:-

So the NIC MTU = 1500, take away 20 bytes for the TCP header, take away 20 bytes for the TCP header - advertise a MSS of 1460.

When you have PMTUD enable (enabled by default on ALL Microsoft OS) ALL packets have the DF bit set.

So you negotiate a TCP session, to 1460 with the DF bit set, the packets arrive at the firewall/VPN device ready for encryption...

but the device needs to add 56 bytes of encryption to the packet.....1460 + 56 = 1516, but the interface MTU is 1500 right! ooops!

If you start using a ping with the DF bit set - it's misleading as an ICMP packet is 20 bytes, with IP info - so the MTU reported willl

be 1480! not what you are looking for.

So to be safe I always do the following:-

20 Bytes for IP header

20 Bytes for TCP header

28 Bytes for GRE encapsulation (if I want to use Dynamic routing protocols over VPN)

56 Bytes for IPSEC

So far = 1356.

I always calculate an extra if I am dealing with VOIP:-

12 Bytes for RTP

All totaled = 1344

I also allow for "fudge" so I use 1300 bytes as the MSS value.....workes extermely well for me.

HTH>

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
edgar-quintana Mon, 09/15/2008 - 14:15

Hi,

First, thks for fast responding.

I do not understand " To any of the interfaces that face the LAN on either site."

Can you explain it better?

Thks and best regards

edgar-quintana Tue, 09/16/2008 - 08:31

Hi again,

Imagine... there are a 2821 router and a 1721 site to site vpn.

1721 site to site to a 837 and 2821 site to site with the 837.

Then... the comment will be placed into the 1721 atm 0.1 and 2821 gigaethernet1 ??

Best regards

Edgar,

This setting could practically fix all the issues related to fragmentation/MTU/MSS you are seeing.

It will not hurt to add it to ALL LAN interfaces - on the 1721, 837 & 2821.

If you have VPN's do not add it to the WAN interface - as the device will not see the tcp syn/ tcp syn ack as they will be encrypted.

Put it this way - the cisco PIX/ASA running 7.x code and above has a default tcp mss of 1380. And the tcp adjust mss command has been in router/switch ios since about 12.x .

HTH.

Correct Answer

Edgar,

That link is OK - lets do some math:-

IP Header - 20 Bytes

TCP Header - 20 Bytes

IPSEC Header - 56 Bytes

Standard LAN NIC MTU = 1500. When a tcp syn connection is started - the TCP stack will do the following:-

So the NIC MTU = 1500, take away 20 bytes for the TCP header, take away 20 bytes for the TCP header - advertise a MSS of 1460.

When you have PMTUD enable (enabled by default on ALL Microsoft OS) ALL packets have the DF bit set.

So you negotiate a TCP session, to 1460 with the DF bit set, the packets arrive at the firewall/VPN device ready for encryption...

but the device needs to add 56 bytes of encryption to the packet.....1460 + 56 = 1516, but the interface MTU is 1500 right! ooops!

If you start using a ping with the DF bit set - it's misleading as an ICMP packet is 20 bytes, with IP info - so the MTU reported willl

be 1480! not what you are looking for.

So to be safe I always do the following:-

20 Bytes for IP header

20 Bytes for TCP header

28 Bytes for GRE encapsulation (if I want to use Dynamic routing protocols over VPN)

56 Bytes for IPSEC

So far = 1356.

I always calculate an extra if I am dealing with VOIP:-

12 Bytes for RTP

All totaled = 1344

I also allow for "fudge" so I use 1300 bytes as the MSS value.....workes extermely well for me.

HTH>

edgar-quintana Tue, 09/16/2008 - 12:54

Hi,

VPN site to site from 2821 with a 4mbpsx4mbps LMDS and 837 Adsl 3000/512...which would be the max download rate?

And 2821 to a 1721(vpn module installed) with a adsl 4000/512?

Best regards

edgar-quintana Tue, 09/16/2008 - 13:24

Sorry about my english....

Which is meaning of encrypted thru-put and clear-text thru-put?

Actions

This Discussion