PIX MTU / MSS / DF Bit Questions

Unanswered Question

Hello All-

I am tying to find out if I am running my PIX VPN's as efficiently as possible. Here is the setup:

Our PIX 525 pair terminates about 150 VPNs from customers and sites. Some connections we control both ends (usually an 1811 on the other side). Others are customer controlled. The PIX devices have 2811s before the PE device. Our primary ISP is qwest serving 30Mbps via an MPLS fiber connection.

On the inside interfaces of the PIX is our datacenter switch stack of 3750s. Our servers connect to this switch stack directrly with the routing being handled by the 3750.

On the PIX we have an MTU on the outside and inside interface at 1500. The MSS is set to 1368. On the inside and outside intercace of the pix pre-fragmentation is enabled and DF bit policy is set to copy.

On the edge routers we have an MTU of 1500 on the inside and outside interface.

This is the same for the 3750 stack. The ports have an MTU of 1500 and the vlan has an mtu of 1500.

I am not seeing any fragmentation on the vpn connections, but I am trying to figure out what the optimal setting should be to maximize throughput.

Any thoughts / comments / advise is greatly appreciated.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Panos Kampanakis Wed, 11/04/2009 - 12:51

Please look at http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml#t5

You can calculate the headers to see what is the maximum mss that will not cause fragmentation, which would maximize your throughput for tcp (not udp or icmp). Calculate 40bytes (TCP+IP header) plus the IPSec headers (depending on your algorithms) and then you can have the values. Usually it is close to 1420bytes.

I hope it helps.



I have been trying this and I get different results for different tunnels. Some are in the low 1400s, Most are somewhere in the 1300s. I have even seen some in the high 1200s.

About a month ago I set the MSS on the PIX to be 1300 per the document you linked to. This had some adverse affects of our web content caching servers (squid) getting packets dropped on the firewall because of MSS exceeded errors.

As for MSS, Should I set it to the lowest value I come to, or try and find a good number that represents most of the tunnels?

I am also wondering if I need to look at my MTU. I have been told that ASA use a lower MTU by default, but PIXs don't. Would it be a good idea if I lowered my MTU?


Panos Kampanakis Fri, 11/06/2009 - 10:55

The PIX ASA MTU is 1500 default. I would not consider changing the MTU because you are limiting the interface just for the VPN's shake.

The MSS is the values you need to tweak. UDP packets are usually small so they don't cause issues. The optimal value is the highest that makes all tunnels work. The MSS is applied globally, so it applies to all TCP packets. I am not sure why changing the MSS to 1300 on the PIX cause issues since changing it makes the PIX change the TCP SYNs so the server knows that he has to send smaller MSS. The server should not send higher than 1300 MSS after that. Maybe I am missing something in the setup.

Anyway, I hope the other suggestions make sense.



This Discussion