MTU Size Problem Loading Certain Webpages

Unanswered Question

Hello Colleagues,


I'm having a strange problem dealing with MTU sizes and loading certain webpages. I am aware of the default Microsoft MTU of 1500 and also using GRE IPSEC Tunnels recommended at MTU size 1400. I have since manually set some users PC's to MTU of 1400 and most of those users are experiencing no issues. However, there are a few users who still experience website loading issues even though I have manually changed their MTU size to 1400.


These are domain accounts will the same image loads on their machines, so all have the same permissions, rights, firewall settings, etc. They all use the same LAN, switches, and routers.


Here are the router configs, router 1 and router 2


Router 1


Current configuration : 9006 bytes


!


version 15.3


no service pad


service timestamps debug datetime msec localtime


service timestamps log datetime msec localtime


service password-encryption


!


hostname R-US-RS-WVPN1


!


boot-start-marker


boot system flash:c1900-universalk9-mz.SPA.153-1.T1.bin


boot system flash:c1900-universalk9-mz.SPA.151-3.T1.bin


boot-end-marker


!


!


logging buffered 64000


enable secret 5 *removed*


!


no aaa new-model


clock timezone CET 1 0


clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00


errdisable recovery cause udld


errdisable recovery cause bpduguard


errdisable recovery cause rootguard


errdisable recovery cause pagp-flap


errdisable recovery cause dtp-flap


errdisable recovery cause link-flap


errdisable recovery interval 303


!


ip cef


!


!


!


!


!


!


ip domain name corp.com


ip name-server 10.###.8.21


ip name-server 10.###.8.96


ip inspect dns-timeout 90


ip inspect tcp idle-time 60


ip inspect name fw smtp timeout 120


ip inspect name fw ftp timeout 120


ip inspect name fw realaudio


ip inspect name fw tftp timeout 30


ip inspect name fw udp timeout 30


ip inspect name fw tcp timeout 60


no ipv6 cef


!


multilink bundle-name authenticated


!


!


crypto pki trustpoint TP-self-signed-316595902


enrollment selfsigned


subject-name cn=IOS-Self-Signed-Certificate-316595902


revocation-check none


rsakeypair TP-self-signed-316595902


!


!


crypto pki certificate chain TP-self-signed-316595902


certificate self-signed 01


  *removed*


        quit


license udi pid CISCO1921/K9 sn FTX153182M8


!


!


!


spanning-tree vlan 229 priority 8192


!


redundancy


!


!


!


!


!


ip ssh version 2


!


!


crypto isakmp policy 10


hash md5


authentication pre-share


lifetime 3600


crypto isakmp key *removed* address 70.###.172.142


crypto isakmp key *removed* address 184.###.###.254


crypto isakmp keepalive 35 11


!


!


crypto ipsec transform-set FY-WVPN-Tunnel esp-aes esp-md5-hmac


mode tunnel


!


!


!


crypto map vpn 10 ipsec-isakmp


set peer 70.###.172.142


set peer 184.###.###.254


set transform-set FY-WVPN-Tunnel


match address gre-tunnel-list


!


!


!


!


!


interface Loopback0


ip address 10.###.0.10 255.255.255.255


!


interface Tunnel2291


description Primary-TimewarnerTelecom-Ral-FayWVPN1


ip address 10.###.99.26 255.255.255.252


no ip redirects


cdp enable


tunnel source 66.###.161.126


tunnel destination 184.###.###.254


crypto map vpn


!


interface Tunnel2293


description Primary-TimewarnerTelecom-Ral-FayWVPN2


ip address 10.###.99.154 255.255.255.252


no ip redirects


cdp enable


tunnel source 66.###.161.126


tunnel destination 70.###.172.142


crypto map vpn


!


interface Embedded-Service-Engine0/0


no ip address


shutdown


!


interface GigabitEthernet0/0


description TW Telecom/DMVPN1


ip address 66.###.161.126 255.255.255.252


ip access-group Block-Internet in


ip access-group Block-Internet out


duplex auto


speed auto


no cdp enable


crypto map vpn


!


interface GigabitEthernet0/1


no ip address


duplex auto


speed auto


!


interface GigabitEthernet0/0/0


switchport access vlan 229


no ip address


!


interface GigabitEthernet0/0/1


switchport access vlan 229


no ip address


!


interface GigabitEthernet0/0/2


switchport access vlan 229


no ip address


!


interface GigabitEthernet0/0/3


description PBX Eth1


switchport access vlan 229


no ip address


!


interface Vlan1


no ip address


shutdown


!


interface Vlan229


ip address 10.###.229.253 255.255.255.0


ip helper-address 10.###.231.201


standby 229 ip 10.###.229.254


standby 229 priority 105


standby 229 preempt


!


!


router eigrp 100


network 10.0.0.0


!


ip forward-protocol nd


!


no ip http server


ip http secure-server


!


ip route 70.###.172.142 255.255.255.255 66.###.161.125


ip route 184.###.###.254 255.255.255.255 66.###.161.125


ip route 205.###.96.180 255.255.255.252 66.###.161.125


!


ip access-list extended Block-Internet


permit esp host 66.###.161.126 host 184.###.###.254


permit esp host 184.###.###.254 host 66.###.161.126


permit udp host 66.###.161.126 host 184.###.###.254 eq isakmp


permit udp host 184.###.###.254 host 66.###.161.126 eq isakmp


permit esp host 66.###.161.126 host 70.###.172.142


permit esp host 70.###.172.142 host 66.###.161.126


permit udp host 66.###.161.126 host 70.###.172.142 eq isakmp


permit udp host 70.###.172.142 host 66.###.161.126 eq isakmp


permit icmp host 66.###.161.126 host 184.###.###.254


permit icmp host 184.###.###.254 host 66.###.161.126


permit icmp host 66.###.161.126 host 70.###.172.142


permit icmp host 70.###.172.142 host 66.###.161.126


permit icmp any any echo-reply


permit icmp any any time-exceeded


permit icmp any any packet-too-big


permit icmp any any traceroute


permit icmp any any unreachable


deny   ip any any


deny   icmp any any


ip access-list extended gre-tunnel-list


permit gre host 66.###.161.126 host 184.###.###.254


permit gre host 66.###.161.126 host 70.###.172.142


!


logging host 10.100.###.254


logging host 10.100.###.246


!


!


snmp-server community a RW 20


snmp-server community r RO 20


snmp-server community a RW 20


snmp-server community r RO 20


snmp-server community P_RW RW


snmp-server community P_RO RO


snmp-server enable traps entity-sensor threshold


snmp-server host 10.100.###.246 public


snmp-server host 10.100.###.254 public


access-list 20 permit 10.###.9.3


access-list 20 permit 10.###.8.16


access-list 20 permit 10.100.###.249


access-list 20 permit 10.100.###.254


access-list 20 permit 10.100.###.246


!


control-plane


!


!


banner motd ^CCCCCCC


****************** Warning! Warning! Warning! ********************




This system is restricted to authorized users for business


purposes.  Unauthorized access is a violation of the law.  This


service may be monitored for administrative and security reasons.


By proceeding, you consent to this monitoring




****************** Warning! Warning! Warning! ********************


^C


!


line con 0


login local


line aux 0


line 2


no activation-character


no exec


transport preferred none


transport input all


transport output pad telnet rlogin lapb-ta mop udptn v120 ssh


stopbits 1


line vty 0 4


exec-timeout 60 0


password 7 *removed*


login local


transport input ssh


line vty 5 15


exec-timeout 60 0


password 7 *removed*


login local


transport input ssh


!


scheduler allocate 20000 1000


ntp server 10.###.8.8 prefer


ntp server 10.###.231.200 prefer


ntp server 10.###.8.69


ntp server 10.###.1.6 prefer


!


end


Router 2


Current configuration : 9013 bytes


!


version 15.3


no service pad


service timestamps debug datetime msec localtime


service timestamps log datetime msec localtime


service password-encryption


!


hostname R-US-RS-WVPN2


!


boot-start-marker


boot system flash:c1900-universalk9-mz.SPA.153-1.T1.bin


boot system flash:c1900-universalk9-mz.SPA.151-3.T1.bin


boot-end-marker


!


!


logging buffered 64000


logging console critical


enable secret 5 *removed*


!


no aaa new-model


clock timezone CET 1 0


clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00


errdisable recovery cause udld


errdisable recovery cause bpduguard


errdisable recovery cause rootguard


errdisable recovery cause pagp-flap


errdisable recovery cause dtp-flap


errdisable recovery cause link-flap


errdisable recovery interval 303


!


ip cef


!


!


!


!


!


!


ip domain name corp.mann-hummel.com


ip name-server 10.###.8.21


ip name-server 10.###.8.96


ip inspect dns-timeout 90


ip inspect tcp idle-time 60


ip inspect name fw smtp timeout 120


ip inspect name fw ftp timeout 120


ip inspect name fw realaudio


ip inspect name fw tftp timeout 30


ip inspect name fw udp timeout 30


ip inspect name fw tcp timeout 60


ipv6 multicast rpf use-bgp


no ipv6 cef


!


multilink bundle-name authenticated


!


!


crypto pki trustpoint TP-self-signed-3179596086


enrollment selfsigned


subject-name cn=IOS-Self-Signed-Certificate-3179596086


revocation-check none


rsakeypair TP-self-signed-3179596086


!


!


crypto pki certificate chain TP-self-signed-3179596086


certificate self-signed 01


  *removed*


        quit


license udi pid CISCO1921/K9 sn FTX153182M2


!


!


!


spanning-tree vlan 229 priority 1###84


!


redundancy


!


!


!


!


!


ip ssh version 2


!


!


crypto isakmp policy 10


hash md5


authentication pre-share


lifetime 3600


crypto isakmp key *removed* address 70.###.172.142


crypto isakmp key *removed* address 184.###.###.254


crypto isakmp keepalive 35 11


!


!


crypto ipsec transform-set Fay-Ral-WVPN-Tunnel esp-aes esp-md5-hmac


mode tunnel


!


!


!


crypto map vpn 10 ipsec-isakmp


set peer 184.###.###.254


set peer 70.###.172.142


set transform-set Fay-Ral-WVPN-Tunnel


match address gre-tunnel-list


!


!


!


!


!


interface Loopback0


ip address 10.###.0.12 255.255.255.255


!


interface Tunnel2292


description Failover-TimewarnerCable-Ral-Fay-WVPN2


ip address 10.###.99.30 255.255.255.252


no ip redirects


cdp enable


tunnel source 96.###.25.226


tunnel destination 184.###.###.254


crypto map vpn


!


interface Tunnel2294


description Failover-TimewarnerCable-Ral-Fay-WVPN2


ip address 10.###.99.158 255.255.255.252


no ip redirects


cdp enable


tunnel source 96.###.25.226


tunnel destination 70.###.172.142


crypto map vpn


!


interface Embedded-Service-Engine0/0


no ip address


shutdown


!


interface GigabitEthernet0/0


description Fay-Ral WVPN


ip address 96.###.25.226 255.255.255.252


ip access-group Block-Internet in


ip access-group Block-Internet out


duplex auto


speed auto


no cdp enable


crypto map vpn


!


interface GigabitEthernet0/1


no ip address


shutdown


duplex auto


speed auto


!


interface GigabitEthernet0/0/0


switchport access vlan 229


no ip address


!


interface GigabitEthernet0/0/1


switchport access vlan 229


no ip address


!


interface GigabitEthernet0/0/2


switchport access vlan 229


no ip address


!


interface GigabitEthernet0/0/3


description PBX Eth2


switchport access vlan 229


no ip address


!


interface Vlan1


no ip address


shutdown


!


interface Vlan229


ip address 10.###.229.252 255.255.255.0


ip helper-address 10.###.231.201


standby 229 ip 10.###.229.254


standby 229 preempt


!


!


router eigrp 100


network 10.0.0.0


!


ip forward-protocol nd


!


no ip http server


ip http secure-server


!


ip route 70.###.172.142 255.255.255.255 96.###.25.225


ip route 184.###.###.254 255.255.255.255 96.###.25.225


ip route 205.###.96.180 255.255.255.252 66.###.161.125


!


ip access-list extended Block-Internet


permit esp host 96.###.25.226 host 184.###.###.254


permit esp host 184.###.###.254 host 96.###.25.226


permit udp host 96.###.25.226 host 184.###.###.254 eq isakmp


permit udp host 184.###.###.254 host 96.###.25.226 eq isakmp


permit esp host 96.###.25.226 host 70.###.172.142


permit esp host 70.###.172.142 host 96.###.25.226


permit udp host 96.###.25.226 host 70.###.172.142 eq isakmp


permit udp host 70.###.172.142 host 96.###.25.226 eq isakmp


permit icmp host 96.###.25.226 host 184.###.###.254


permit icmp host 184.###.###.254 host 96.###.25.226


permit icmp host 96.###.25.226 host 70.###.172.142


permit icmp host 70.###.172.142 host 96.###.25.226


permit icmp any any echo-reply


permit icmp any any time-exceeded


permit icmp any any packet-too-big


permit icmp any any traceroute


permit icmp any any unreachable


deny   ip any any


deny   icmp any any


ip access-list extended gre-tunnel-list


permit gre host 96.###.25.226 host 184.###.###.254


permit gre host 96.###.25.226 host 70.###.172.142


!


logging host 10.100.###.254


logging host 10.100.###.246


!


!


snmp-server community P_RW RW


snmp-server community P_RO RO


snmp-server community a RW 20


snmp-server community r RO 20


snmp-server community a RW 20


snmp-server community r RO 20


snmp-server enable traps entity-sensor threshold


snmp-server host 10.100.###.246 public


snmp-server host 10.100.###.254 public


access-list 20 permit 10.###.9.3


access-list 20 permit 10.###.8.16


access-list 20 permit 10.100.###.249


access-list 20 permit 10.100.###.254


access-list 20 permit 10.100.###.246


!


control-plane


!


!


banner motd ^CCCCCC


****************** Warning! Warning! Warning! ********************




This system is restricted to authorized users for business


purposes.  Unauthorized access is a violation of the law.  This


service may be monitored for administrative and security reasons.


By proceeding, you consent to this monitoring




****************** Warning! Warning! Warning! ********************


^C


!


line con 0


login local


line aux 0


line 2


no activation-character


no exec


transport preferred none


transport input all


transport output pad telnet rlogin lapb-ta mop udptn v120 ssh


stopbits 1


line vty 0 4


exec-timeout 60 0


password 7 *removed*


login local


transport input ssh


line vty 5 15


exec-timeout 60 0


password 7 *removed*


login local


transport input ssh


!


scheduler allocate 20000 1000


ntp server 10.###.8.8 prefer


ntp server 10.###.231.200 prefer


ntp server 10.###.8.69


ntp server 10.###.1.6 prefer


!


end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

UPDATE


I have since applied the following config to the tunnel interfaces:


ip mtu 1400

ip tcp adjust-mss 1400

tunnel path-mtu-discovery


This worked and I was able to reset each users PC to default MTU size of 1500, but only until just now. I got a call from a user who explained that he wasn't able to reach some websites, again.


Sure enough, I've just confirmed that all of the users are unable to access the websites any longer.


This is crazy, does anyone have any ideas?

Rolf Fischer Fri, 12/06/2013 - 09:49
User Badges:
  • Blue, 1500 points or more

Hi,


ip mtu 1400

ip tcp adjust-mss 1400


typically, the MSS is MTU minus 40.

If you have verified that 1400 is the adequate value for the MTU, you should adjust the MSS to 1360.

(A handy tool for Windows to determine the path's MTU  is mturoute)



HTH

Rolf

Thank you for the reply Rolf,


Yes, and you've jogged my memory of what I read the other day. So, I've updated the config to:


ip tcp-adjust-mss 1360


...and still not working for *some* users. Interestingly, some users can access the problem sites just fine.


I used the tool mturoute and performed a trace to the gateway and one of the trouble sites. A trace to the gateway with an MTU size of 1500 works fine. A trace to a problem site with the same MTU fails because the site is blocking ICMP pings :/

Rolf Fischer Fri, 12/06/2013 - 11:34
User Badges:
  • Blue, 1500 points or more

...and still not working for *some* users. Interestingly, some users can access the problem sites just fine.


Hmm, would it make sense to compare the paths with a traceroute from both (good vs. "problem" client) in order to see if there is load-sharing based on the source-address somewhere?

Actions

This Discussion