ip tcp adjust-mss & mtu

Unanswered Question
Jan 30th, 2010


i have a vpn between two hardware serial encryptors and i'm having a few active directory issues which i suspect are mtu related, i.e. group policy donesn't always apply

i'm looking some advice on using the ip tcp adjust-mss command and and mtu command

can anyone recommend a guide to me please?

i'm attaching a topology in the hope it will jog someone's memory and i can add some relevant config if it helps

thanks to anyone taking the time to read this or reply

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
james.bastnagel Sat, 01/30/2010 - 21:49


What would lead you to believe that this issue is TCP-MSS or MTU related? In

my experience if it were related to that, then group policy would not apply

consistently and there would be a lot more issues than only GPO's not


Here is a pretty straight forward guide to finding the MTU you should be

using. http://www.howtonetworking.com/VPN/mtu4.htm

Also, rather than changing the

MTU or MSS on your entire network, you may try adjusting the window size or

MTU on one or two client devices to see if that alleviates any of the issues

you are seeing--and be sure thats it before you change those settings on a


Additionally, if you can run a packet capture on a device that is having

connectivity issues and you see a huge number of duplicate acks--or tcp

packets with the same sequence number then that would lean towards an MTU

issue. Wireshark has pretty good built in analysis for this type of thing.

I hope this helps. Let us know how it works out.

On Sat, Jan 30, 2010 at 3:51 PM, mulhollandm <

mulhollandm Sun, 01/31/2010 - 04:01


i suspect its mtu size as we already patched one of the remote hosts with a MS patch and this resolved the issue but i'll have different users drifting in & out of this lan so i need a solution that will affect all users

i configured the tcp mss command some time ago and it sorted out other mtu issues but i'm led to believe the AD sends a number of large packets for machine joining a domain but i need to read up a bit more on this



This Discussion