12-18-2007 01:31 AM - edited 03-03-2019 07:58 PM
Hi,
We have a dmvpn setup and some troubles with mtu. Pictures in the web browser does not show.
Here is the setup:
!
interface Tunnel1
ip address 10.226.0.2 255.255.0.0
ip mtu 1440
ip nhrp authentication
ip nhrp map multicast 87.238.66.4
ip nhrp map 10.226.0.1 87.238.66.4
ip nhrp network-id 666
ip nhrp nhs 10.226.0.1
ip nhrp cache non-authoritative
ip tcp adjust-mss 1400
no ip split-horizon
tunnel source FastEthernet4
tunnel destination
tunnel
tunnel protection ipsec profile DMVPN
!
We have also tried this setup with better performance , but still some problems on some web pages.
!
interface Tunnel1
ip address 10.226.0.2 255.255.0.0
ip mtu 1500
ip nhrp authentication
ip nhrp map multicast 87.238.66.4
ip nhrp map 10.226.0.1 87.238.66.4
ip nhrp network-id 666
ip nhrp nhs 10.226.0.1
ip nhrp cache non-authoritative
ip tcp adjust-mss 1400
no ip split-horizon
tunnel source FastEthernet4
tunnel destination
tunnel
tunnel protection ipsec profile DMVPN
!
!
interface Vlan1
description LAN-interface
ip address 10.172.56.1 255.255.255.0
ip tcp adjust-mss 1400
ip verify unicast source reachable-via rx
ip helper-address !
BR,
Bjornarsb
12-18-2007 02:06 AM
To be absolutely sure that the mtu will fit end-to-end without fragmentation, please try the following:
int (DMVPN-Gateway)
ip mtu 1340
ip tcp adjust-mss 1300
Note that the adjustment of the mss must be applied at the correct spot, namely the LAN-interface of your gateway to the DNVPN network.
regards,
Leo
12-18-2007 04:49 AM
Hi,
It does not work.
Central router :
!
interface Tunnel1
ip address 10.226.0.1 255.255.0.0
no ip redirects
ip mtu 1340
ip nhrp authentication
ip nhrp map multicast dynamic
ip nhrp network-id 666
ip tcp adjust-mss 1300
no ip split-horizon
tunnel source Loopback1
tunnel mode gre multipoint
tunnel key
tunnel protection ipsec profile DMVPN
!
interface FastEthernet0/0
ip address 192.168.7.x 255.255.255.0
ip tcp adjust-mss 1300
speed 100
full-duplex
crypto map DMVPN
!
Customer router:
!
interface Tunnel1
ip address 10.226.0.2 255.255.0.0
ip mtu 1340
ip nhrp authentication
ip nhrp map multicast
ip nhrp map 10.226.0.1
ip nhrp network-id 666
ip nhrp nhs 10.226.0.1
ip nhrp cache non-authoritative
ip tcp adjust-mss 1300
no ip split-horizon
tunnel source FastEthernet4
tunnel destination 87.238.66.4
tunnel key
tunnel protection ipsec profile DMVPN
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description Mot_lokal_ISP_
ip address 82.x.x.x 255.255.255.252
ip access-group DENY-WORLD-in in
ip virtual-reassembly
duplex auto
speed auto
crypto map DMVPN
!
interface Vlan1
description LAN-interface
ip address 10.172.56.1 255.255.255.0
ip verify unicast source reachable-via rx
ip helper-address 172.29.251.30
ip tcp adjust-mss 1300
!
BR,
Bjornarsb
12-18-2007 05:34 AM
When this was purely an MTU-issue, you should have noticed a difference. This makes me think your problem could lie elsewhere.
Therefore, may I ask what makes you think this is mtu-related.
Can you trie to verify the actual mtu when using the GRE-tunnels? The following link might be helpful:
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml
regards,
Leo
12-18-2007 06:28 AM
Hi,
Strange it seems like 628 i the limit ?
Dec 18 15:21:22.786 CET: Tunnel1: GRE/IP encapsulated -> (linktype=7, len=68)
Dec 18 15:21:22.790 CET: Tunnel1: GRE/IP encapsulated (linktype=7, len=628)
Dec 18 15:21:22.794 CET: Tunnel1: GRE/IP encapsulated (linktype=7, len=628)
Dec 18 15:21:22.794 CET: Tunnel1: GRE/IP encapsulated (linktype=7, len=260)
Dec 18 15:21:22.798 CET: Tunnel1: GRE/IP encapsulated (linktype=7, len=69)
BR,
Bjornarsb
12-18-2007 09:45 AM
It could also be that your traffic is all relatively small in size. To verify mtu size, use an extended ping with DF-bit set and varying packet size.
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080093f22.shtml
You will notice that all pings will fail above a certain packetsize. Example from my laptop:
C:\WINDOWS>ping 192.168.21.1 -f -l 1272
Pinging 192.168.21.1 with 1272 bytes of data:
Reply from 192.168.21.1: bytes=1272 time=2ms TTL=255
Reply from 192.168.21.1: bytes=1272 time=2ms TTL=255
Reply from 192.168.21.1: bytes=1272 time=4ms TTL=255
Reply from 192.168.21.1: bytes=1272 time=2ms TTL=255
Ping statistics for 192.168.21.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 4ms, Average = 2ms
C:\WINDOWS>ping 192.168.21.1 -f -l 1274
Pinging 192.168.21.1 with 1274 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Ping statistics for 192.168.21.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\WINDOWS>
The highest number that succeeded was 1272 bytes. Add to this 20 bytes ip header plus 8 bytes icmp header for a total of 1300.
This is your actual MTU.
regards,
Leo
12-18-2007 03:51 AM
Beforewarned, that MSS and MTU are different. For TCP/IP, the MSS is MTU + 40 bytes.
This is because MTU is measured including L3 and L4 headers (containment of L2 header) and MSS is measured how much data can be in one segment (TCP in this case).
So if anything, you should try setting:
ip mtu 1400
ip tcp adjust-mss 1360
Hope this helps
12-18-2007 04:58 AM
When we are manipulating the mss value, do we need to specify the mtu on interface. As per your explanation, MSS now should be 1360+40=1400.
12-18-2007 06:09 AM
MTU setting is for the whole interface, while MSS setting is only for the TCP SYN packets going through the router.
From the command description: "To adjust the maximum segment size (MSS) value of TCP SYN packets going through a router, use the ip tcp adjust-mss command"
Maximum for this command is 1460 (i.e. 1500 - 20 byte IP header - 20 byte TCP header)
MTU command is for all communication and is actually alters interface functions. MSS command intercepts TCP SYN and modifies data there. You should always use "ip mtu" and optionally "ip tcp adjust-mss" command, in case hosts do not support automatic MTU discovery.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide