Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

MTU

How is it possible a router sends 1448 bytes of ftp data (frame size is 1514) but not sending 1394 bytes of ftp data (frame size is 1460) over an ipsec tunnel, the router sends ICMP destination unrechable message to the source, the ipsec tunnel mtu is 1476..

Any idea about allowing ICMP destination unrechable message on windows firewall..

19 REPLIES

Re: MTU

The windows firewall does not allow incoming destination unreachable. You must wither disable the windows firewall - or set you MTU to a lower value, so when the tcp session is negotiated, a lower MSS is chosen; that fits into you tunnel MTU with all overheads.

HTH>

New Member

Re: MTU

Andrew

How do i reduce the size of the MTU in the system.. guidance plz..

Hall of Fame Super Bronze

Re: MTU

You do that in the registry but there is a freeware in the internet with a GUI interface http://www.dslreports.com/drtcp

HTH,

__

Edison.

New Member

Re: MTU

How is it possible the router sends 1512 frame over ipsec tunnel (tunnel mtu is 1476) and not sending 1460 bytes frame over the same tunnel..

Re: MTU

As long as the DF = Do not Fragment bit is NOT set, then the router will fragment the packets.

A few applications will set the DF bit - as they require it, and the router will NOT fragment the packet, and drop it.

New Member

Re: MTU

Andrew

Both the system use the same application, the only difference is both of them geographically located in a different location

Re: MTU

Can you confirm the following:-

1) Is the DF bit set in the TCP header

2) What the MTU on the NIC's are @ both ends

3) What the MSS is negotiated within the TCP session establishment is?

New Member

Re: MTU

DF bit is set in both the cases

How do i check the MTU of the NIC card?

MSS is negotiated to 1460

Re: MTU

If that is indeed the case - then I am very surprised that it works at all.

If the DF bit is set, and the overall packet site is bigger than the MTU of the tunnel the router will drop it, and send an icmp packet "fragmentation required" message.

When you perform a packet capture on the end devices, do you see this?

d/l and install the below, this will tell you the nic mtu size and allow you to change it

http://www.dslreports.com/drtcp

New Member

Re: MTU

I tried this but this does not tell the current mtu...

Re: MTU

goto start<>run<>regedit

hkey_local_machine

system

currentcontrolset

services

tcpip

interface

<>

look for the registry setting called MTU - if there is one, then it will be any number other than 1500.

if there is no registry setting called MTU under the nic card - then it's the default mtu of 1500.

New Member

Re: MTU

I do not see any MTU so its default...

Re: MTU

so 1500 - with the DF bit, and a MSS of 1460, a device would drop the packet.

You need to do some packet captures to confirm that this is actually the case on the specific application.

Do you have any device in the path of the tcp session - that could perform a TCP MSS adjust?

New Member

Re: MTU

let me send u some attachments..

New Member

Re: MTU

i have location A and location B, the problem in location A

the destination for both the location is same

the last hop is same for both the locations (ipsec tunnel)

Location A : source ip 152.144.175.35 and destination is 152.144.253.61)...

Location B : source ip 161.228.80.77 and destination is 152.144.253.61)...

router ip with ipsec tunnel : 152.144.75.244

New Member

Re: MTU

Did u get the chance to look at the capture.. any idea of this behavior..

Re: MTU

In both captures of location A - packet 9 in the campture is an icmp "fragementation needed"

In the capture of location B - packet 9 is the same.

All the FTP data is being sent with the DF bit set, the frame sizes are to big for the VPN.

Do the VPN's terminate on the ASA/PIX devices?

New Member

Re: MTU

In location B the ftp data size is 1448 and the corresponding frame size is 1512 and this happily passes through the tunnel, at the same time in location A the ftp data size is 1394 and the corresponding frame size is 1460 and this does not passes through the tunnel.. this is strange..

the tunnel terminates on the router..

Re: MTU

That is not how I read the packet captures, everything is not OK with the FTP data stream.

I suggest you either

1) Change the interface MTU

2) Depending on the routing platform use the tcp mss-adjust feature to a lower MSS in the TCP syn/syn ack.

351
Views
0
Helpful
19
Replies
CreatePlease to create content