Re: Does tcp adjust-mss work on GRE tunnels?

TIM KIRBY · ‎03-24-2004

I read one Cisco doc that said to use this command on GRE - IPSEC tunnels. http://www.cisco.com/en/US/partner/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

Yet the Cisco doc on the command states, "The ip tcp adjust-mss command does not work on subinterfaces or GRE tunnels."

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_command_reference_chapter09186a00801a7f4d.html#wp1048744

So does it work on Subinterfaces and GRE tunnels or not?

RYAN BARNES · ‎03-24-2004

This might not be the difinitive answer you were looking for but I've used this on Tunnel interfaces before since we have a FW blocking ICMP between my client and server.

This article on GRE IP MTU also references using ip tcp-adjust mss command on a tunnel interface.

http://www.cisco.com/warp/public/105/56.html#pfragment

Too add to the confusion, I ran into an article in the past that mentioned you also needed to run NAT on the interface for tcp-adjust mss to work! Although I havn't found this to be the case.

http://www.cisco.com/warp/public/794/router_mtu.html

Harold Ritter · ‎03-24-2004

ip tcp adjust-mss is indeed not supported on a GRE tunnel. In the GRE - IPSEC scenario though, the ip tcp adjust-mss is not to be applied to GRE tunnel interface but to the inbounds interfaces leading to this tunnel.

Hope this helps,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

czrussel · ‎03-24-2004

I use it on my GRE tunnels and it works well.

ip tcp adjust-mss 1400

I use it on each tunnel interface, that way I can tweak each one independent of the other

Harold Ritter · ‎03-24-2004

You are absolutly right. I just tried with 12.3(5) and it works like a charm.

Thanks,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

c.bernhardt · ‎03-26-2004

And what about NAT. Does ip tcp adjust-mss work without NAT ?

Browsing the Internet over a PPPOE-DSL connection without adjusting mss is a really problem.

If I have a PPPOE-DSL connection with a public-routed adress-range and I do not use NAT,

or I use such a router only for a VPN-tunnel without NAT, does ip tcp adjust-mss work or doesn't it ?

Is there another way to adjust the mss (maybe with PBR) ?

regards

Christian

czrussel · ‎03-31-2004

Yes it does.

On the dialer int try ip tcp adjust-mss 1452

On the tunnenl try ip tcp adjust-mss 1380

That's what I use on my 1751 that use PPPOE connections

I attached a cisco doc on the matter.

Here is the formula I derived from the doc

MTU 1500 - the parts the apply for your setup = adjust-mss

ip header(20)

tcp header(20)

gre (24)

pppoe (8)

ipsec transport (38)

ipsec tunnel (56)

m.baker · ‎04-01-2004

Is there a way to set the tcp MSS only for some specific traffic ? e.g. traffic that match an access-list ?

RYAN BARNES · ‎04-01-2004

This would be only interface specific. I don't think there would be any benefit of adjusting the MSS on just an HTTP packet for example or based on specific destination.

The MTU of a link is the MTU, regardless of the type of traffic.

I think if you knew that traffic crossing that interface was going to encounter a smaller segment down it's path, the best place to modify it would be on the router closest to the source (smaller MTU interface). Otherwise it would put the responsibiliy on you (your router) to either guess or know what MTU's you might encounter down the path to the destination...and that could get messy.