Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3212
Views
0
Helpful
2
Replies

VTI Tunnels+IPSec, MSS Adjust, & WAAS

Ryan Posey
Level 1
Level 1

‎06-09-2010 08:07 PM

I just finished reading "Understanding Cisco WAAS Interaction with TCP Maximum Segment Size (MSS)" and still had a few questions about setting.

ip mtu <value>

tfo tcp original-mss <value>

tfo tcp optimized-mss <value>

All WAN traffic must be encrypted for our company.  We use VTI tunnels with IPSec to do this in a Hub & Spoke topology.

The WAN is Metro-E in many locations and supports a MTU of 1500. 

VTI Tunnels = 24~32 bytes (depending on options set, CheckSUM etc..)

IPSec = 56~58 bytes

Leaving 1420~1410 bytes for the MTU

We must then set the MSS adjust on the Ethernet interface of the router to a MSS that accounts for the TCP & IP Headers.

TCP Header = 20 bytes

IP Header = 20 bytes

Leaving 1380~1370 bytes for the MSS Adjust

Even when we set our MSS Adjust this low we still see a message in captures that state the traffic exceeded MTU by 57 bytes. We are assuming he router is accounting for the IPSec.  So we have pushed the MSS-Adjust down an additional 57 bytes to 1323~1313.

So how does this affect WAAS.  Should I set the Original & Optimized MSS to 1323~1313 or let it receive this from the router's ethernet LAN interface.  Also should I push the MTU size down to meet these values, or leave it alone and once again rely on the router to advertise the TCP segment size to the WAAS.

There are a few lines in the document that make me believe the WAAS will reset this MSS value to 1432 ignoring what the router advertises.  I questioning the wording of, "If WCCP is enabled, change the MSS value to the lesser of the client advertised MSS and 1432"

We are using WCCP and egress-method negotiated-return intercept-method wccp.  The WAAS is in the user subnet and the router is on an interconnect subnet to the core switch.

0 Helpful
2 Replies 2

Zach Seils
Level 7
Level 7

‎06-16-2010 05:18 AM

Hi Ryan,

The statement "If WCCP is enabled, change  the MSS  value to the lesser of the client advertised MSS and 1432" means that  WAAS will use the lesser of 1432 and what the MSS is set to in the SYN  packet (received by WAAS).  The use of the word "client" in your case is  misleading, since there is a transit device, the router, that is  adjusting the MSS value between the client and WAAS device.

Assuming  the MSS adjustment happens prior to the traffic being redirected to  WAAS, it's safe to leave the optimized/original MSS at their default  values.

Regards,

Zach

0 Helpful

sbrobak
Level 1
Level 1
In response to Zach Seils

‎11-23-2012 12:44 AM

Hi,

This post is very interesting. And have some questions.

My setup is:

client - switch - waas (inline) - branch router - wan - router (wccp redirect, gre) - server

the branch router is adjusting mss to match the lower mtu in wan.

What I see from wireshark traces is that SYN packet from client arrive at server with adjusted mss, but the SYN-ACK from client have the original mss. So when client start tranfering data, it start sending data with max segment size. So fragmentation has to be done. So my question is, is there any setting in waas to modificate the mss? Or do waas any "magic" here. I have tried to adjust the original and/or optimized side parameters in waas config, but no change in behavior.

Can't actually find any good Cisco documentation expaining (IN DETAILS) the mss and buffering.

waas software:4.4.5b.2

Regards, Steinar.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents