Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9047
Views
5
Helpful
7
Replies

Ping df size 1400-failed

Go to solution
jazzlim2004
Level 1
Level 1

‎10-13-2010 09:38 PM

Hi,

I tried to ping with mtu size 1400 via VPN tunnel but failed.

Kim#ping 192.168.2.1 df size 1400

Sending 5, 1400-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with the DF bit set
M.M.M
Success rate is 0 percent (0/5)

May I know why is it so? and how will it affect my system if MTU failed at 1400?

My tunnel mtu is set to 1400

sh crypto ipsec sa:

path mtu 1452, ip mtu 1452, ip mtu idb Dialer0

Thank you

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to jazzlim2004

‎01-09-2011 04:43 PM

That's more or less correct...

You do not want to change the IP MTU on an interface from default, what you would like to change is the TCP MSS to 1322 on the inside interface/LAN interface of your router. It will negotiate a lower MSS value during TCP negotiation, so when the TCP packet is encrypted into ESP or GRE/ESP packet, it passes through the interface MTU of  (typically 1500 bytes) just fine.

View solution in original post

7 Replies 7

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎10-13-2010 09:54 PM

After the ping packet is being encrypted, it will add extra header to the packet, hence, ping with packet size of 1400 fails.

From that, the IP MTU is 1452, and IPSec encryption normally adds about 56 bytes to the packet header, hence it fails. If you have GRE over IPSec tunnel, then it would add a little bit more for the GRE header.

Here is an article for your reference on IPSec packet size and issues:

http://www.networkworld.com/subnets/cisco/1114-ch4-ipsec-vpn.html?page=8

Hope that helps.

0 Helpful

Go to solution
jazzlim2004
Level 1
Level 1
In response to Jennifer Halim

‎01-09-2011 04:36 PM

Hi again,

I was trying to calculate the overheads for ESP-AES-256 esp-sha-hmac with tunnel mode. Below is my understanding:

20(tunnel) + 8(ESP headers) +16(IV) + 2(trailer) + 32(SHA)=78btyes

AES padding for 1400 btyes = 0 (43blocks of 32bytes)

Total overheads= 78btyes (May I know if my understandiing correct?)

Thus, I should set my MTU size to 1322?

What command can I use to check the packet size sent and received on the router?

Thank you in-advance! : )

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to jazzlim2004

‎01-09-2011 04:43 PM

That's more or less correct...

You do not want to change the IP MTU on an interface from default, what you would like to change is the TCP MSS to 1322 on the inside interface/LAN interface of your router. It will negotiate a lower MSS value during TCP negotiation, so when the TCP packet is encrypted into ESP or GRE/ESP packet, it passes through the interface MTU of  (typically 1500 bytes) just fine.

Go to solution
jazzlim2004
Level 1
Level 1
In response to Jennifer Halim

‎01-09-2011 04:47 PM

Thank you so much for the prompt reply (as always) ; )

0 Helpful

Go to solution
jazzlim2004
Level 1
Level 1
In response to jazzlim2004

‎01-09-2011 06:31 PM

sorry another questions to seek your advise:

I failed to ping df size 1380 but successfull with size 1379 with  5 encrypted packets sent

Any idea how to determine the actual encrypted packet size? or anyway to know the exact overheads. I cannot use wireshark as my router is connected directly to ISP gateway.

Thank you

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to jazzlim2004

‎01-09-2011 06:46 PM

Typically, that is how you would determine what is the biggest clear text packet you can send through the tunnel before it is getting encrypted, ie: by doing an extended ping with different packet size like what you have performed with DF bit set.

I can't tell you exactly how many bytes the overheads are, however, the ping test that you have performed is normally how you would determine that.

You can also perform packet capture on the router itself to see what is the packet before it is being sent out the interface:

http://www.cisco.com/en/US/partner/docs/ios/netmgmt/configuration/guide/nm_packet_capture_ps10591_TSD_Products_Configuration_Guide_Chapter.html

0 Helpful

Go to solution
lukie
Level 1
Level 1
In response to Jennifer Halim

‎01-26-2023 04:19 AM

Hi Jennifer,

There is a time and place where you would lower the MTU on the interface. The MSS you are referencing is only for TCP and that's only one portion of IP packets. There are lots of UDP packets out there which needlessly are fragmented.

So, absolutely lower the MTU for UDP packets. MSS is only for TCP.

on a windows box do the following

ping -f -l 1500 x.x.x.x

Keep lowering the value of 1500 till you don't get the value 

Packet needs to be fragmented but DF set.

Then do the following math: Final MTU = x value (you get from ping -f-l)   PLUS 8 bytes ICMP header PLUS 20 bytes IP header

0 Helpful
Customers Also Viewed These Support Documents