Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSec VPN MTU issue over ADSL

Hello Guys,

I am deploying IPSec VPN over MPLS L3 ADSL link between HeadOffice and different branch locations. VPN tunnels are up and running i can successfully ping both sides. But the browsing is very very slow. Users at remote sites cannot browse the servers at headoffice as well as internet. I have tried following things:

1) Setting MTU in outside interface

2) Setting ip tcp adjust-mss in outside interface

3) Crypto ipsec df-bit clear (both locations)

3) Route-map clearing df-bit

Still browsing is same. I cant figure out where the problem is? In my configuration or at ISP side??

Devices used for this configuration are:

Head Office: Cisco C3945 Software (C3900-UNI​VERSALK9-M), Version 15.2(4)M3

Branch Office: Cisco C2911 Software (C2900-UNI​VERSALK9-M), Version 15.3(2)T

I have attached configuration below:

Thank you

Sudan Dhakal

10 REPLIES
New Member

Re:IPSec VPN MTU issue over ADSL

How much you adjust the tcp mss ?


Sent from Cisco Technical Support Android App

New Member

IPSec VPN MTU issue over ADSL

Hello Bader,

After testing different size ping packet from a remote location windows machine

>ping x.x.x.x

  reply success

>ping x.x.x.x -l 1500 -f

packet needs to be fragmentated but df set

packet needs to be fragmentated but df set

>ping x.x.x.x -l 1350 -f

packet needs to be fragmentated but df set

packet needs to be fragmentated but df set

>ping x.x.x.x -l 1340 -f

reply success

reply success

I set different mss value to test but nothing worked. The running-configuration has the ip tcp adjust-mss 1300 value.

Regards,

Sudan Dhakal

Silver

IPSec VPN MTU issue over ADSL

Perform some packet captures on client and server.

New Member

IPSec VPN MTU issue over ADSL

Hello Peter,

Wireshark captures at branch location shows almost every packets "TCP segment of a reassembled PDU" and lots of bad Checksums.

Regards,

Sudan Dhakal

New Member

Re: IPSec VPN MTU issue over ADSL

Hi Sudan

You have some onE of the two issues:

A) MTU path discovery issues where the clients can't find the MTU and defaults to a very low MTU
Solution: use a tool like MTU path to find if the is any device not replying to the MTUP discovery http://www.iea-software.com/products/mtupath.cfm

B) TCP MSS values are still high. Try to lower this to 1260


Take care

Sent from Cisco Technical Support iPad App

Silver

Re: IPSec VPN MTU issue over ADSL

2) Setting ip tcp adjust-mss in outside interface

It does not affect TCP as traffic on outside is already encapsulated in IPsec. Put that command on inside inteface.

New Member

Re: IPSec VPN MTU issue over ADSL

Peter,

Are you sure about that?

Sent from Cisco Technical Support iPad App

Silver

Re: IPSec VPN MTU issue over ADSL

Are you sure about that?

Actually, I'm not entirely positive. Haven't tested it.

I would say if you put it on inside interface, it's guaranteed.

New Member

Re: IPSec VPN MTU issue over ADSL

Peter

You are correct. It will also work but..... That also means you need to apply the command to each internal interface and it will also change the MSS to the internal traffic which is not required.

Applying in the outside interface will guarantee that only VPN traffic will have a lower MSS.

Silver

IPSec VPN MTU issue over ADSL

Sudan, is it solved?

Let me see the captures, the MSS values and packet/segment sizes should be checked.

2248
Views
0
Helpful
10
Replies