VPN MTU Size

davidhaycox · ‎12-21-2006

Get this same problem with any Cisco router site-site VPN. Have various customers with 857, 877, 1841, 2811 routers, same problem every time. I'm setting up a VPN with the SDM, link goes up ok, but traffic seems oddly sluggish.

Installing the Cisco VPN client on all PCs seems to resolve the problem - I'm guessing because it sets the MTU size to 1300 - but you always get this error message when testing the VPN from the SDM:

Failure Reason(s)

A ping with data size of this VPN interface MTU size and 'Do not Fragment' bit set to the other end VPN device is failing. This may happen if there is a lesser MTU network which drops the 'Do not fragment' packets.

Recommended Action(s)

1)Contact your ISP/Administrator to resolve this issue. 2)Issue the command 'crypto ipsec df-bit clear' under the VPN interface to avoid packets drop due to fragmentation.

The crypto command doesn't make any difference.

Any ideas gratefully received.

Report Inappropriate Content · ‎01-03-2007

A source doing PMTUD starts with a maximum packet length that is the minimum of the outbound MTU of the interface and the announced MSS during TCP setup (if any) + 40, and works downward from that length to find a packet length that will arrive at the recipient even if the packet's DontFragment flag is set. If you've chosen your outbound MTU carefully (and your ISP carefully), packets of the initial maximum packet length will survive the trip without fragmentation. So if PMTUD is causing a problem, you can just turn it off with no performance penalty at all.

http://www.cisco.com/en/US/products/hw/routers/ps4081/products_tech_note09186a0080094268.shtml

phil_carter · ‎01-03-2007

I see the same problem - I have a VPN configured across the Internet between a Cisco 2811 router to a Checkpoint firewall.

Lowering the MTU size on the clients to below the usual 1500 bytes (to below 1300 as specified above) and traffic flows without problem across the VPN. It seems the additional header when going through the tunnel is causing problems.

Is reducing the MTU size on the router interface a possibility? This may cause increased overhead to the router as it has to fragment each packet, and I understand some firewalls may not even allow fragmented packets through. However, changing settings on users desktops / servers is not very scalable, and there will come a time when this isn't possible (old printers??). Is there any specific configuration advice that can be recommended?

Richard Burts · ‎01-03-2007

Phil

I have had good success using the ip tcp adjust-mss command to solve this problem. This command goes on the router interface and will intercept and modify the TCP sync which is negotiating the mss and will set it to the size that you specify. It causes the end station to use the smaller size but does not require that you change anything at the client machine. It is a very scalable and satisfactory solution.

HTH

Rick

HTH

Rick

phil_carter · ‎01-04-2007

Rick,

Thanks for this reply. Had a look and this refers to configuring this (along with IP mtu ) for PPPoE mainly - have you used this for VPNs or solely PPoE?

Phil

5220 · ‎01-04-2007

Hi Phil,

ip tcp adjust-mss works unrelated to the infrastructure used.

Put this command on all the user router interfaces but the VPN one. The TCP connections will be "fooled" at the handshake to use a lower MTU.

Please note that command is used to specify the MSS amount (for a MTU of 1300 the MSS is 1260).

As well, on those interfaces use ip mtu matching the MSS so that the IP savvy hosts will send the traffic well dimensioned from the start.

Please rate if this helped.

Regards,

Daniel

Richard Burts · ‎01-04-2007

Phil

I have not done it with PPoE at all. I have done it many times with VPN. I generally put it on the LAN interface of the router where traffic from end stations is received. I have also seen it used on the outbound interface. It was my understanding from the documentation that it was to be applied on physical interfaces but I have seen a configuration where it was applied on a GRE tunnel with the assertion that it worked there.

Give it a try - I think you will find that it works for you.

HTH

Rick

HTH

Rick

phil_carter · ‎01-05-2007

Rick,

What about UDP packets? Any similar command for this protocol, or only TCP connections?

thanks again,

Phil

5220 · ‎01-05-2007

Hi Phil,

UDP doesn't have handshaking mechanism, so this command doesn't apply. Normally UDP doesn't have any issues with MTU as the packets are never that big. As well in a normal enterprise UDP is only about 3% of the traffic (DNS, VoIP, TFTP).

Please rate if this helped.

Regards,

Daniel

cirrushelpdesk · ‎01-22-2008

I just applied the command ip tcp adjust-mss 1242 to my vpn tunnel interfaces in Austin and Tucson with the ip mtu 1440 already there and it instantly cleared up some rdp issues as well as some exchange connectivity issues. Thanks for the help.

Richard Burts · ‎01-22-2008

Juan

I am glad that our suggestions were able to point you toward the solution to your problem.

The ip tcp adjust-mss is a very useful command in environments like VPN that add extra headers to packets.

HTH

Rick

HTH

Rick