Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

vpn and mtu

Recently I setup a 1721 running IOS c1700-k9o3sy7-mz.122-15.T5.bin

This router terminated a VPN with another router, a 1721 with the exact same IOS version. This router was initialy connected via a wireless WAN link out eth0. We moved them on to a t1 as the primary interface with the wireless as a backup. We then had to

-setup a loopback device - its ip would terminate the vpn

-make the source packets of the vpn come from the loopback

-setup static routes w/ higher administrative distances

Doing all this we tested the vpns - they worked. Unplugged to t1 connection and traffic moved over to the wireless. We verified vpn clients could connect. Everything worked ok...

Except when moving large files between hosts behind fa0 over the vpn to hosts at the far end. To prove the vpn worked and routing was in place we could telnet from a host behind fa0 over the vpn to a remote host and login.. Then we'd try a ftp some files over. We could connect to the ftp server BUT once a file transfer was started things would hang.

We opened a Cisco tac case and it turned out that adding

ip tcp adjust-mss 1300

to interface fa0 fixed everything - files transfers worked.

My question why would reduced packet size help? Did the vpn add some packet overhead cauing larger packets to be dropped?

A clue was found here BUT this relates to PPPoE - not vpns..

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122tcr/122twr/wftbrda.htm#1064471

I'm just looking for an explanation as to why this reduced MTU size worked. I would of never figured this out on my own...

Below is the running-config we used. Remember everything worked(switching between WAN link, vpn connectivity, NAT) except file transfers and when large amounts of data was pushed over the pipe, like MS file/print sharing, emails w/ attachments(few hundred k). The only change was one line to the fa0 interface.

version 12.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname HPARFD

!

logging queue-limit 100

logging buffered 8192 debugging

enable secret 5 <removed>

enable password 7 <removed>

!

username abc password <removed>

clock timezone CST -6

clock summer-time CDT recurring

aaa new-model

!

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

ip subnet-zero

!

!

no ip domain lookup

ip domain name blahblah.net

ip name-server <dns ip>

ip name-server <dns ip>

!

ip audit notify log

ip audit po max-events 100

ip ssh time-out 60

!

!

!

!

crypto isakmp policy 1

hash md5

authentication pre-share

!

crypto isakmp policy 2

hash md5

authentication pre-share

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key test3030 address <remoteip> no-xauth

crypto isakmp key test3131 address 0.0.0.0 0.0.0.0

crypto isakmp client configuration address-pool local ourpool

!

crypto isakmp client configuration group whatever

key <removed>

pool ourpool

acl 101

!

!

crypto ipsec transform-set rptset esp-des esp-md5-hmac

crypto ipsec transform-set trans2 esp-des esp-md5-hmac

crypto ipsec transform-set v35clientset esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set v35clientset

crypto dynamic-map dynmap 20

set transform-set trans2

!

!

crypto map rtp local-address Loopback0

crypto map rtp isakmp authorization list groupauthor

crypto map rtp client configuration address initiate

crypto map rtp client configuration address respond

crypto map rtp 1 ipsec-isakmp

set peer <peer ip>

set transform-set rptset

match address 115

crypto map rtp 50 ipsec-isakmp dynamic dynmap

!

!

!

!

interface Loopback0

description Loopback address is NOT dependent on either physical interface

ip address <removed> 255.255.255.255

no ip proxy-arp

ip nat outside

no ip split-horizon

!

interface Ethernet0

description secondary WAN link - wireless

ip address <removed> 255.255.255.252

no ip proxy-arp

ip nat outside

no ip split-horizon

half-duplex

crypto map rtp

!

interface FastEthernet0

description connected to EthernetLAN

ip address <private ip> 255.255.255.0

no ip proxy-arp

ip tcp adjust-mss 1300

^^^^^^^^^^^^^^^^^^^^^^ Cisco tac added work around

ip nat inside

speed auto

!

interface Serial0

description primary WAN link - t1

ip address <private ip> 255.255.255.252

no ip proxy-arp

ip nat outside

random-detect

crypto map rtp

!

router rip

version 2

passive-interface Loopback0

passive-interface Serial0

passive-interface Ethernet0

network <private ip>

no auto-summary

!

ip local pool ourpool <private ip range>

ip nat inside source route-map nonat interface Loopback0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0 <removed>

ip route 0.0.0.0 0.0.0.0 Ethernet0 <removed 200

ip route <private ip> 255.255.255.0 Serial0 <removed>

ip route <private ip> 255.255.255.0 Ethernet0 <removed> 200

ip route <private ip> 255.255.255.0 Serial0 <removed>

ip route <private ip> 255.255.255.0 Ethernet0 <removed> 200

ip route <private ip> 255.255.255.0 Serial0 <remoted>

ip route <private ip> 255.255.255.0 Ethernet0 <remove> 200

no ip http server

no ip http secure-server

!

!

!

ip access-list extended remote_access

permit tcp any any eq 22

permit tcp <private ip> 0.0.0.255 any eq telnet

deny tcp any any eq telnet

permit ip any any

!

access-list 1 permit <private> 0.0.0.255

access-list 100 permit ip host <removedd> 192.168.0.0 0.0.0.255

access-list 100 permit ip host <removed> 192.168.0.0 0.0.0.255

access-list 100 permit ip host <removed> 192.168.0.0 0.0.0.255

access-list 101 permit ip <removed> 0.0.0.255 10.2.1.0 0.0.0.255

access-list 101 permit ip 192.168.0.0 0.0.255.255 10.2.1.0 0.0.0.255

access-list 199 permit tcp any any established

access-list 199 permit udp any any

access-list 199 permit esp any any

access-list 199 permit ip 192.168.0.0 0.0.0.255 <removed> 0.0.0.255

!

route-map nonat permit 10

match ip address 110

!

snmp-server enable traps tty

radius-server authorization permit missing Service-Type

alias exec sv show version

alias exec sr show running-config

alias exec ss show startup-config

alias exec con conf t

alias exec top show proc

alias exec br show ip inter brief

!

line con 0

exec-timeout 0 0

password 7 <removed>

line aux 0

line vty 0 4

exec-timeout 0 0

password 7 <removed>

logging synchronous

transport input pad udptn telnet rlogin ssh

!

ntp clock-period 17180059

ntp server <removed>

end

3 REPLIES
Silver

Re: vpn and mtu

TCP-mss is the Maximum Segment Size, TCP Optionally negotiates with the other party at the time of session initialization. In your case, TCP will not send more than 1300 bytes to the other party in one segment.

I think you can go a little more than 1300. All you are doing is leaving room in the 1500B packet for additional headers to fit in. Usually TCP+IP header overhead consumes 40B, but will increase with the use of Options. In addition, VPN headers need space as well.

Hope this helps.

Silver

Re: vpn and mtu

The average overhead for an IPSec Tunnel Mode VPN is approx 51 - 58 bytes:

ESP overhead (with authentication) : 31 ~ 38 bytes (including padding)

New IP Header : 20 Bytes

New Member

Re: vpn and mtu

An answer was posted in another forum - the vpn security. Here in a url that basically explains everything in detail.

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a0080093f1f.shtml

248
Views
0
Helpful
3
Replies
CreatePlease login to create content