Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Difference Between MSS and MTU

Hi All, 

 

I know you might be thinking if I google I would find it but trust me, I haven't still found the compelling explanation on this topic, so I though this would be the right place to ask

This is what my understanding is, 

 

- mss = tcp-mss which is actually = MTU - 40 (20 Byte for TCP + 20 Byte IP)

 so mss will be = 1460 if you have a MTU of 1500 

- Also mss is first selected when tcp sync request send from client to server along with the window size right ?  

- MSS has got any thing to with UDP ? I think No. 

 

I am having some slowness issues over IPSec VPN between two sites, even though other sites are working fine from the same site, so I start troubleshooting and came across this maximum segment size issue which could one of the factor. I dont know if it is.

Slowness issue on accessing the resource on Microsoft DFS, Exchange Servers and Domain Controllers. 

 

I don't know this all related but can you please help explain me the difference between the following in some detail and with the some useful links. 

 

Difference between maximum segment size and maximum transmission unit ? 

 

Difference between layer 2 MTU (Max Frame Size) and layer 3 MTU (IP-MTU)

 

I would really appreciate any effort

 

Thank you  

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Hello , I will try to answer

Hello ,

 

I will try to answer your question .

 

UDP does not have an MSS . UDP has datagrams , and maximum size of udp datagram is limited by many factor ( maximum to the length of UDP datagram length header field =16 bits , that is including header ) . The hard limit is the size IP can carry .

 

MTU is always layer 1 and represents capacity of a physical link . But there are situations where protocols/software need to define MTU manually , eg IP MTU or MPLS MTU .

 

IP MTU is used to determine whether an ip packet needs to be fragmented or not .

MSS is always calculated from MTU to avoid any further fragmentation. In case no MTU value is found MSS with minimum size ( 576 ) will be send ( as you know MSS = MTU - layer3 header + layer 2 header ) . and MTU is maximum packet size an interface can support . 

 

For difference between MTU and IP - MTU you can refer below link :

 

https://supportforums.cisco.com/discussion/9912226/difference-between-interface-mtu-and-ip-mtu 

 

I am not sure about the slowness issue you are seeing but i hope this helps your query on MSS , MTU and IP MTU 

 

Regards

Sunil Bhadauria

7 REPLIES
Cisco Employee

Hello , I will try to answer

Hello ,

 

I will try to answer your question .

 

UDP does not have an MSS . UDP has datagrams , and maximum size of udp datagram is limited by many factor ( maximum to the length of UDP datagram length header field =16 bits , that is including header ) . The hard limit is the size IP can carry .

 

MTU is always layer 1 and represents capacity of a physical link . But there are situations where protocols/software need to define MTU manually , eg IP MTU or MPLS MTU .

 

IP MTU is used to determine whether an ip packet needs to be fragmented or not .

MSS is always calculated from MTU to avoid any further fragmentation. In case no MTU value is found MSS with minimum size ( 576 ) will be send ( as you know MSS = MTU - layer3 header + layer 2 header ) . and MTU is maximum packet size an interface can support . 

 

For difference between MTU and IP - MTU you can refer below link :

 

https://supportforums.cisco.com/discussion/9912226/difference-between-interface-mtu-and-ip-mtu 

 

I am not sure about the slowness issue you are seeing but i hope this helps your query on MSS , MTU and IP MTU 

 

Regards

Sunil Bhadauria

New Member

This is the link to the best

This is the link to the best document on this topic. Clear cut and covers various scenarios:

 

http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/25885-pmtud-ipfrag.html

Super Bronze

DisclaimerThe Author of this

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

MSS is TCP related.  Normally it's set to an IP packet's MTU less IP and TCP headers, and so for standard headers (which both can be larger than 20 bytes if options are set) and for standard Ethernet, you're correct it's 1460 (1500 - 40).

You're also correct, MSS has nothing to do with UDP.

The difference between MTU for L2 vs. MTU for L3 is the difference between a packet's max supported size, on the media, and the frame's maximum supported size, on the same medium.  Just as there's 20 bytes for TCP header information, and 20 bytes for IP header information, L2 media has header overhead too.  For Ethernet, without VLAN tags, it's another 18 bytes, or 22 bytes with a VLAN tag.  There's also additional L1 overhead too.  (BTW, Wiki has nice explanations and drawings.)

Basically, MTU is determined by hardware, i.e. how large a frame can be transmitted/received.

Anyway, slowness with VPN is often impacted by maximum sized Ethernet packets needing to be IP fragmented or discovered to be avoided.  The latter delays flow start up and, by default, repeats within a timed cycle.  Both can be nicely avoided if the tcp mss-adjust feature is supported.

Cisco has a nice whitepaper addressing these issues across tunnels, see: http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/25885-pmtud-ipfrag.html

New Member

Hi Joseph, 

Hi Joseph, 

Sorry I got buzy in other stuff and could not come back to earlier, 

 

Thanks for the clarification on the topic, I had a doubt on mss value but I think i was wrong becuase today we changed the DNS Message Length Maximum from default of 512 to 1024. 

the reason why we changed because we were seeing these logs 

%ASA-4-410001: Dropped UDP DNS reply from outside:x.x.x.x/53 to inside:1.1.1.1/54266; packet length 1502 bytes exceeds configured limit of 512 bytes

so do you have any explanation for this ? we resolved the issue but dont know what really happened

Super Bronze

DisclaimerThe Author of this

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Explanation?  An ASA (?) notes a DNS reply is larger than it's configured to support?  Firewalls can block legitimate traffic that's unusual, making it "suspicious".

New Member

are you asking or telling me

are you asking or telling me something ?

Super Bronze

Disclaimer

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Telling, I think,

Was the log message generated on an ASA?

If so, here's what Cisco documentation has for it:

Error Message %ASA-4-410001: UDP DNS request from source_interface: source_address/source_port to dest_interface: dest_address/dest_port; (label length | domain-name length) 52
bytes exceeds remaining packet length of 44 bytes.

Explanation
The domain-name length exceeds 255 bytes in a UDP DNS packet. See RFC 1035, Section 3.1 for more information.

Recommended Action None required.

 

And what the referenced RFC section says:

3. DOMAIN NAME SPACE AND RR DEFINITIONS

3.1. Name space definitions

Domain names in messages are expressed in terms of a sequence of labels.
Each label is represented as a one octet length field followed by that
number of octets.  Since every domain name ends with the null label of
the root, a domain name is terminated by a length byte of zero.  The
high order two bits of every length octet must be zero, and the
remaining six bits of the length field limit the label to 63 octets or
less.

To simplify implementations, the total length of a domain name (i.e.,
label octets and label length octets) is restricted to 255 octets or
less.

Although labels can contain any 8 bit values in octets that make up a
label, it is strongly recommended that labels follow the preferred
syntax described elsewhere in this memo, which is compatible with
existing host naming conventions.  Name servers and resolvers must
compare labels in a case-insensitive manner (i.e., A=a), assuming ASCII
with zero parity.  Non-alphabetic codes must match exactly.
20617
Views
5
Helpful
7
Replies
CreatePlease to create content