Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Bronze

increasing MSS

Hi All

While troubleshooting another issue I saw that the MSS of the webservers that I host behind my ASA is 1380.

LAB-ASA# sh run all | inc 1380
sysopt connection tcpmss 1380
LAB-ASA#

Then I noticed that the MSS of webservers like amazon.com and cnn and cnet are 1460.   If I put my a PC on the local subnet of one of my webservers it SYNACKs with a MSS of 1460.    That extra 80 bytes per TCP packet have to increase performance a tiny bit right ?

If I do not have a VPN endpoint on this ASA do I have any reason not to increase the MSS to 1460 with "sysopt connection tcpmss 1460" ?

Thx!

Tim

Everyone's tags (7)
9 REPLIES
Cisco Employee

Re: increasing MSS

You are right. The MSS value is negotiated during the TCP 3 way handshake. The lowest number will be agreed upon.

You can definitely increase the "sysopt connection tcpmss" value to 1460.

Bronze

Re: increasing MSS

Hi

Thanks for the reply.    Is there anything I should watch out for.  I do terminate some VLANs on one interface of this ASA.   The ASA also transits IPSEC traffic that ends up in its DMZ. 

Thanks for any info.

Cisco Employee

Re: increasing MSS

If the ASA just transit the IPSEC traffic, it should be OK. However, if the ASA is terminating the IPSEC, you might want to decrease the MSS value to 1380 since after being encrypted, with the IPSEC encapsulation header, it will increase the MTU size.


But IPSEC traffic transiting the ASA should be allright.

Bronze

Re: increasing MSS

> But IPSEC traffic transiting the ASA should be allright.

Great , thats what I thought.  Thanks very much for confirming.

How about if I terminate VLANs on subinterfaces on the ASA.  Should I be concerned about the extra L2 tag thats inserted for trunk links like the one between the ASA and Switch ?

I ask because while the MTU on the ASA is set to the default of 1500,  I am capturing traffic on the ASA and viewing it with Wireshark , I am seeing some IPSEC packets that are 1506 bytes and Im also seeing higher than 1500 on some SSL traffic.

See the 2 JPG attachments.  Both show more than 1500 bytes being taken off the wire.  Is that OK ?

Thanks again for any assistance!

Cisco Employee

Re: increasing MSS

Yes, you don't really want the packet to go over 1500 bytes as there will be fragmentation. Preferrably smaller packet size from the actual application packet before it gets encrypted or encapsulated by SSL or VPN. Otherwise, I recently found out that some ISP can drop fragmented IP packet which would result in further delay if the TCP stream keeps retransmitting.

That's why the ASA sysopt connect tcpmss is by default 1380 (to incorporate VPN scenario where extra header is being added for encryption/encapsulation).

Hope that helps.

Bronze

Re: increasing MSS

Hi,

Can you pls confirm for me that I do not have to worry about Ethernet Headers in this conversation? 

IP MTU is different than Ethernet MTU isn't it ?

IP MTU = 1500

Ethernet MTU = 1518

TCP = 1460

TCP Header = 20

IP Header = 20

L2 Eth header

Src MAC = 6

Dst MAC = 6

Type      = 2

CRC     = 4

--------------------------

Total = 1518 bytes

Thanks Much!!

Cisco Employee

Re: increasing MSS

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1517601

1380 data + 20 TCP + 20 IP + 24 AH + 24 ESP_CIPHER + 12 ESP_AUTH + 20 IP = 1500 bytes

If the host or server does not request a maximum segment size, the adaptive security appliance assumes that the RFC 793 default value of 536 bytes is in effect.

If you set the maximum size to be greater than 1380, packets might become fragmented, depending on the MTU size (which is 1500 by default). Large numbers of fragments can impact the performance of the adaptive security appliance when it uses the Frag Guard feature. Setting the minimum size prevents the TCP server from sending many small TCP data packets to the client and impacting the performance of the server and the network.

MTU - http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/m.html#wp2040442

MSS is the Maximum Segment Size which is the largest segment (layer 4, yet not including the layer 4 header) that can fit on the current physical medium.  MTU is the Maximum Transmission Unit which is the largest packet (layer 3, including the layer 3 header) that can be transmitted.


-KS

Bronze

Re: increasing MSS

Hi kusankar

Thank you for your post, I have read those links and Im still a bit confused about L2 MTU and L3 MTU.  I'm led to believe they are both configurable.

See here
http://www.cisco.com/en/US/docs/ios/12_0/interface/command/reference/irshowin.html#wp1018148

The description for giants is...
"Number of packets that are discarded because they exceed the medium's maximum packet size. For example, any Ethernet packet that is greater than 1,518 bytes is considered a giant."

So I look here on a switch

3550-sw# sho interface faste0/1 | inc MTU
  MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
3550-sw#

MTU is 1500 on the switch, ok.

At this point I wonder.... What happens to frames larger than 1500 but less than 1518?

Are switches and routers going to pass frames larger than 1500 but less than 1518 or will a router along the path frag them?  

Is there a way I can see that a router is fragmenting packets ?

Thanks !!

Community Member

Perhaps 6 years too late, but

Perhaps 6 years too late, but in answer to your question the MTU defined for your layer 2 switch doesn't include the Ethernet header (18 bytes including the CRC) so if it receives and IP packet which is bigger than 1500 then once it adds the Ethernet header it would become and over-sized packet.

You should be able to see the IP fragmentation stats with some commands such as 'show ip traffic' for a router/L3 switch, or you could look into debugging options (not good for a live environment though).

6630
Views
11
Helpful
9
Replies
CreatePlease to create content