Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Can't browse without the command "ip tcp adjust-mss 1452"

Hi All,

We have a ASR 1001 router which directly connected to UPStream provider. Few weeks back my Service provider changed their end router to ASR 9000 series router. Since then we can't browse some sites such as www.yahoo.com , login.yahoo.com with out the command ip tcp adjust-mss 1452 on WAN side interface.

Can any one explain why this happened ?

Everyone's tags (2)
3 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

Can't browse without the command "ip tcp adjust-mss 1452"

This command is very helpful when there is MTU issue in the packet path. It set the maximum segment size so there will be no need to fragment the packet.

Yiu can test the connection without this command by sending ICMP packet with packet size more than 1452 + TCP header + IP Header + L2 header, and set the DF bit, you will notice the ping is not succeful.

Regards

Please rate if this is helpful

Super Bronze

Re: Can't browse without the command "ip tcp adjust-mss 1452"

Disclaimer

The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer


In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting

That would often be indicative of PPPoE which some device isn't fragmenting packets or telling other devices (if PMTUD is active) that the max MTU is 1492.

Re: Can't browse without the command "ip tcp adjust-mss 1452"

There is a handy command line tool for Windows called mturoute (set the -t option) to find the device and interface (IP-address) with the lower MTU.

10 REPLIES
New Member

Can't browse without the command "ip tcp adjust-mss 1452"

This command is very helpful when there is MTU issue in the packet path. It set the maximum segment size so there will be no need to fragment the packet.

Yiu can test the connection without this command by sending ICMP packet with packet size more than 1452 + TCP header + IP Header + L2 header, and set the DF bit, you will notice the ping is not succeful.

Regards

Please rate if this is helpful

Re: Can't browse without the command "ip tcp adjust-mss 1452"

Hi,

I assume you already know about MTU, MSS, PMTUD etc.

If not, you find some useful information in document Resolve IP Fragmentation, MTU, MSS, and PMTUD Issues with GRE and IPSEC

The value of 1452 is interesting. TCP endstations calculate the MSS from their local interface MTU value (normally 1500 bytes) and negotiate a MSS which is admissible for both endstation's interfaces (normally 1460 bytes). So we can assume that in the end-to-end path we have somewhere an interface "eating up" 8 bytes of MTU.

I suspect this is a MPLS interface (4 bytes per label), perhaps you could inquire your SP?

[EDIT]: ... more likely PPPoE, like stated by Joseph.

Hope that helps

Rolf

Super Bronze

Re: Can't browse without the command "ip tcp adjust-mss 1452"

Disclaimer

The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer


In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting

That would often be indicative of PPPoE which some device isn't fragmenting packets or telling other devices (if PMTUD is active) that the max MTU is 1492.

New Member

Can't browse without the command "ip tcp adjust-mss 1452"

Thanks Amjad , rolf and Doherty.

Please refer the attachment also which shows my basic Network setup.

*According to My SP they have connected a LapTop directly to their Service Provider router and they confirmed that they can access the sites I have mentioned.

*I don't think there's a MPLS interface in-between our uplink, even if there's a interface can find out without enquiring my SP ?

*There was no issue untill they have changed their end router. Can some one please tell me how to troubleshoot this issue ??

Re: Can't browse without the command "ip tcp adjust-mss 1452"

There is a handy command line tool for Windows called mturoute (set the -t option) to find the device and interface (IP-address) with the lower MTU.

New Member

Re: Can't browse without the command "ip tcp adjust-mss 1452"

Thanks a lot rolf , very usefull tool.

*I have observed following.

++ output via not working ISP ++

D:\>mturoute -t -x www.yahoo.com

mturoute to [redacted], 30 hops max, variable sized packets

* ICMP Fragmentation is not permitted. *

* Speed optimization is enabled. *

* Maximum payload is 10000 bytes. *

1  +-  host: a.a.a.a  max: 1500 bytes   ===> My GW Router

2  +-  host: b.b.b.b  max: 1500 bytes  ===> Up Stream provider WAN IP

3  +-  host: c.c.c.c  max: 1500 bytes ====> Up Stream provider IP

4  ...-+++++++++.-++  host: d.d.d.d  max: 1496 bytes

5  +.-  host: e.e.e.e  max: 1496 bytes ====> Yahoo IP

6  +.-  host: f.f.f.f  max: 1496 bytes

*6 (An additional device responded for f.f.f.f)

7  ++--+---+++-+++-  host: g.g.g.g  max: 1500 bytes

*7 (An additional device responded for g.g.g.g)

*7 (An additional device responded for g.g.g.g)

8  +-  host: h.h.h.h  max: 1500 bytes

*8 (An additional device responded for h.h.h.h)

*8 (An additional device responded for h.h.h.h)

9  +-  host: i.i.i.i  max: 1500 bytes

10  +-  host: j.j.j.j  max: 1500 bytes

++ output via a working ISP ++

E:\>mturoute -x -t www.yahoo.com

mturoute to [redacted], 30 hops max, variable sized packets

* ICMP Fragmentation is not permitted. *

* Speed optimization is enabled. *

* Maximum payload is 10000 bytes. *

1  +-  host: a.a.a.a  max: 1500 bytes

2  .+-  host: b.b.b.b  max: 1500 bytes

3  +-  host: c.c.c.c  max: 1500 bytes

4  +-  host: d.d.d.d  max: 1500 bytes

5  +-  host: e.e.e.e  max: 1500 bytes

6  +-  host: f.f.f.f  max: 1500 bytes

7  +-  host: g.g.g.g  max: 1500 bytes

*7 (An additional device responded for g.g.g.g)

*7 (An additional device responded for g.g.g.g)

8  +-  host: h.h.h.h  max: 1500 bytes

*8 (An additional device responded for h.h.h.h)

*8 (An additional device responded for h.h.h.h)

9  +-  host: i.i.i.i  max: 1500 bytes

*9 (An additional device responded for i.i.i.i)

10  +-  host: j.j.j.j  max: 1500 bytes

*10 (An additional device responded for j.j.j.j)

11  +-  host: k.k.k.k  max: 1500 bytes

*11 (An additional device responded for k.k.k.k)

12  +-  host: l.l.l.l  max: 1500 bytes

Can any one please explain why there's only 4bytes missing ???

New Member

Re: Can't browse without the command "ip tcp adjust-mss 1452"

4 bytes? VPN labe will add 4 bytes, also vlan tag will add an extra 4 bytes to the frame. This somehting you can't change, your ISP will change it if he is okay with that, otherwise use mss tcp adjust command as a workaround

New Member

Re: Can't browse without the command "ip tcp adjust-mss 1452"

Thanks for the reply Amjad.

Recently I found out that this issue is only with few of my IP ranges. I have done the same test with a totally different IP block and the results are as expected ( No deduction in MTU size )

How can this MTU issue is related with certain IP blocks ??

Anyway My ISP also checking on this issue. so far they didn't come up with any solution.

Adding to above , is it wise to use TCP ADJUST command on my WAN interface as a permanant solution ???

New Member

Re: Can't browse without the command "ip tcp adjust-mss 1452"

Usually, ISP have redundant links and use something called ECMP "Equal Cost Multi-Path". Based on the header of the frame, the packet will be switched to one of these paths. For expample In IP network, this will depend on the source and destination IP address, and in L2 VPN it will use the top and bottom label.

and regaridng the TCP adjust command, I would recommend to keep it in there, this will keep you connected even if something wrong happened at your ISP side

Super Bronze

Re: Can't browse without the command "ip tcp adjust-mss 1452"

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Amjad Abdelhalim wrote:

4 bytes? VPN labe will add 4 bytes, also vlan tag will add an extra 4 bytes to the frame. This somehting you can't change, your ISP will change it if he is okay with that, otherwise use mss tcp adjust command as a workaround

The 4 bytes could also be a MPLS label (which is what Amjad might also mean).

This might be as simple as forgetting to configure an interface as MPLS.  Bump into this years ago with one of our service provides using MPLS under-the-covers.

It might also explain why it doesn't work to only some destination - i.e. they need to cross that particular provider's interface.

1189
Views
0
Helpful
10
Replies