While troubleshooting another issue I saw that the MSS of the webservers that I host behind my ASA is 1380.
LAB-ASA# sh run all | inc 1380
sysopt connection tcpmss 1380
Then I noticed that the MSS of webservers like amazon.com and cnn and cnet are 1460. If I put my a PC on the local subnet of one of my webservers it SYNACKs with a MSS of 1460. That extra 80 bytes per TCP packet have to increase performance a tiny bit right ?
If I do not have a VPN endpoint on this ASA do I have any reason not to increase the MSS to 1460 with "sysopt connection tcpmss 1460" ?
You are right. The MSS value is negotiated during the TCP 3 way handshake. The lowest number will be agreed upon.
You can definitely increase the "sysopt connection tcpmss" value to 1460.
Thanks for the reply. Is there anything I should watch out for. I do terminate some VLANs on one interface of this ASA. The ASA also transits IPSEC traffic that ends up in its DMZ.
Thanks for any info.
If the ASA just transit the IPSEC traffic, it should be OK. However, if the ASA is terminating the IPSEC, you might want to decrease the MSS value to 1380 since after being encrypted, with the IPSEC encapsulation header, it will increase the MTU size.
But IPSEC traffic transiting the ASA should be allright.
> But IPSEC traffic transiting the ASA should be allright.
Great , thats what I thought. Thanks very much for confirming.
How about if I terminate VLANs on subinterfaces on the ASA. Should I be concerned about the extra L2 tag thats inserted for trunk links like the one between the ASA and Switch ?
I ask because while the MTU on the ASA is set to the default of 1500, I am capturing traffic on the ASA and viewing it with Wireshark , I am seeing some IPSEC packets that are 1506 bytes and Im also seeing higher than 1500 on some SSL traffic.
See the 2 JPG attachments. Both show more than 1500 bytes being taken off the wire. Is that OK ?
Thanks again for any assistance!
Yes, you don't really want the packet to go over 1500 bytes as there will be fragmentation. Preferrably smaller packet size from the actual application packet before it gets encrypted or encapsulated by SSL or VPN. Otherwise, I recently found out that some ISP can drop fragmented IP packet which would result in further delay if the TCP stream keeps retransmitting.
That's why the ASA sysopt connect tcpmss is by default 1380 (to incorporate VPN scenario where extra header is being added for encryption/encapsulation).
Hope that helps.
Can you pls confirm for me that I do not have to worry about Ethernet Headers in this conversation?
IP MTU is different than Ethernet MTU isn't it ?
IP MTU = 1500
Ethernet MTU = 1518
TCP = 1460
TCP Header = 20
IP Header = 20
L2 Eth header
Src MAC = 6
Dst MAC = 6
Type = 2
CRC = 4
Total = 1518 bytes
1380 data + 20 TCP + 20 IP + 24 AH + 24 ESP_CIPHER + 12 ESP_AUTH + 20 IP = 1500 bytes
If the host or server does not request a maximum segment size, the adaptive security appliance assumes that the RFC 793 default value of 536 bytes is in effect.
If you set the maximum size to be greater than 1380, packets might become fragmented, depending on the MTU size (which is 1500 by default). Large numbers of fragments can impact the performance of the adaptive security appliance when it uses the Frag Guard feature. Setting the minimum size prevents the TCP server from sending many small TCP data packets to the client and impacting the performance of the server and the network.
MSS is the Maximum Segment Size which is the largest segment (layer 4, yet not including the layer 4 header) that can fit on the current physical medium. MTU is the Maximum Transmission Unit which is the largest packet (layer 3, including the layer 3 header) that can be transmitted.
Thank you for your post, I have read those links and Im still a bit confused about L2 MTU and L3 MTU. I'm led to believe they are both configurable.
The description for giants is...
"Number of packets that are discarded because they exceed the medium's maximum packet size. For example, any Ethernet packet that is greater than 1,518 bytes is considered a giant."
So I look here on a switch
3550-sw# sho interface faste0/1 | inc MTU
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
MTU is 1500 on the switch, ok.
At this point I wonder.... What happens to frames larger than 1500 but less than 1518?
Are switches and routers going to pass frames larger than 1500 but less than 1518 or will a router along the path frag them?
Is there a way I can see that a router is fragmenting packets ?
Perhaps 6 years too late, but in answer to your question the MTU defined for your layer 2 switch doesn't include the Ethernet header (18 bytes including the CRC) so if it receives and IP packet which is bigger than 1500 then once it adds the Ethernet header it would become and over-sized packet.
You should be able to see the IP fragmentation stats with some commands such as 'show ip traffic' for a router/L3 switch, or you could look into debugging options (not good for a live environment though).